BCP38 http://www.bcp38.info/index.php/Main_Page MediaWiki 1.19.4 first-letter Media Special Talk User User talk BCP38 BCP38 talk File File talk MediaWiki MediaWiki talk Template Template talk Help Help talk Category Category talk 0 2 4 2013-03-29T15:45:16Z Baylink 4 Created page with "A '''BCP''' is an RFC -- an Internet/IETF Request for Comments document; the standards for the Internet -- which has been tagged as promulgating '''Best Current Practices'''. ..." A '''BCP''' is an RFC -- an Internet/IETF Request for Comments document; the standards for the Internet -- which has been tagged as promulgating '''Best Current Practices'''. Best Current Practices are the Internet's best idea of the ways in which it itself should be built and operated, the approaches which will make it work the best and fastest, and be the hardest for bad actors to attack. RFC numbers change, if a document is reissued in a new version (there are no 'version numbers or release dates' for RFCs); this is not true of BCP numbers: if RFC2827 were reissued as RFC, say, 9000, ''that'' would then become BCP38. bf8e6a40e1291e89ec17b0de05f32640d104386b 0 5 115 11 2014-01-17T03:32:35Z Baylink 4 There are many terms which are used colloquially on the net which have somewhat amorphous definitions; one of the most prominent of these is "'''backbone'''" (and the related "'''tier 1'''"). "Backbone" is generally understood by most people to mean the [[tier 1]] carriers, and the [[tier 2]] networks which connect directly to them, either by [[peering]] or buying [[transit]]. e8e05c1c09a0507e7e3b21c96f160605856ee720 11 10 2013-03-29T16:00:02Z Baylink 4 There are many terms which are used colloquially on the net which have somewhat amorphous definitions; one of the most prominent of these is "'''backbone'''" (and it's related "'''tier 1'''"). "Backbone" is generally understood by most people to mean the [[tier 1]] carriers, and the [[tier 2]] networks which connect directly to them, either by [[peering]] or buying [[transit]]. e6713ca4d7fb2fa6d87ba0b53064371b98ac8309 10 9 2013-03-29T15:59:45Z Baylink 4 There are many terms which are used colloquially on the net which have somewhat amorphous definitions; one of the most prominent of these is "'''backbone'''" (and it's related "'''tier 1'''"). "Backbone" is generally understood by most people to mean the [[Tier 1]] carriers, and the [[tier 2]] networks which connect directly to them, either by [[peering]] or buying [[transit]]. 89312b4c7d9d6e183d1a8486c902e0c211f24de0 9 2013-03-29T15:58:10Z Baylink 4 Created page with "There are many terms which are used colloquially on the net which have somewhat amorphous definitions; one of the most prominent of these is "'''backbone'''" (and it's related..." There are many terms which are used colloquially on the net which have somewhat amorphous definitions; one of the most prominent of these is "'''backbone'''" (and it's related "'''tier 1'''"). "Backbone" is generally understood by most people to mean the Tier 1 carriers, and the tier 2 networks which connect directly to them, either by [[peering]] or buying [[transit]]. ae444cdb018ea0af84f2a02ed03a3cef45f537cb 0 49 164 2014-10-16T17:39:24Z Baylink 4 Created page with "A '''botnet''' is a logical network of (usually) PCs which have had software installed on them -- usually without the knowledge of the owner -- which can * be remotely contro..." A '''botnet''' is a logical network of (usually) PCs which have had software installed on them -- usually without the knowledge of the owner -- which can * be remotely controlled by a Bad Guy and * be used to attack other computers across the internet. c12826931bba6453c9fa2ecdf000f35dd35168c9 0 26 89 88 2013-04-05T16:20:05Z Baylink 4 '''CPE''' stands for [http://en.wikipedia.org/wiki/Customer-premises_equipment Customer-premises equipment]. A consumer-grade or better router in your home which implements [[NAT]] can block some outbound forged attack traffic, which might be generated by malware you don't know your computers have on them, so it is still useful, even though it is [[egress filtering]]. The following table shows a list of CPE tested with spoofing verification [[projects]]. In the 4th and 5th columns, a green 'Ok' means that the router drops the forged traffic as it should; a red 'X' means that the traffic passes through. {| class="wikitable" |- !scope="col"|Vendor !scope="col"|Model !scope="col"|Firmware !scope="col"|BCP38.info !scope="col"|Spoofer (MIT) !scope="col"|Last Test !scope="col"|ISP |- |Thomson |SpeedTouch 516 |5.3.2.6.0 |style="color:green;"|Ok |style="color:green;"|Ok |2013/03/31 | |- |SageMCom |2864-000000-002 |FAST2864_v6740S |style="color:red;"|X |style="color:red;"|X |2013/03/31 | |} === Contributing to the table === If you have such a router, and are inclined to grab one or more of the testing programs listed on the [[projects]] page and tun it, please add your data here. Note that you should say where you're testing from, "Road Runner Tampa Bay" for example, in the last column. If your ISP already implements BCP38, you can't really test CPE, so you should probably run the testers on a PC connected directly to your DSL or cablemodem first*. (* Note that if you do this, you're changing the Ethernet address which the cablemodem sees; this often requires power-cycling that modem so it will accept traffic from the new device, and again when you switch back.) 8cb35cd592849484ec13553ed8fbdc26687ebdd6 88 87 2013-04-05T16:19:10Z Baylink 4 '''CPE''' stands for [http://en.wikipedia.org/wiki/Customer-premises_equipment Customer-premises equipment]. A consumer-grade or better router in your home which implements [[NAT]] can block some outbound forged attack traffic, which might be generated by malware you don't know your computers have on them, so it is still useful, even though it is [[egress filtering]]. The following table shows a list of CPE tested with spoofing verification [[projects]]. In the 4th and 5th columns, a green 'Ok' means that the router drops the forged traffic as it should; a red 'X' means that the traffic passes through. If you have such a router, and are inclined to grab one or more of the testing programs listed on the [[projects]] page and tun it, please add your data here. Note that you should say where you're testing from, "Road Runner Tampa Bay" for example, in the last column. If your ISP already implements BCP38, you can't really test CPE, so you should probably run the testers on a PC connected directly to your DSL or cablemodem first*. {| class="wikitable" |- !scope="col"|Vendor !scope="col"|Model !scope="col"|Firmware !scope="col"|BCP38.info !scope="col"|Spoofer (MIT) !scope="col"|Last Test !scope="col"|ISP |- |Thomson |SpeedTouch 516 |5.3.2.6.0 |style="color:green;"|Ok |style="color:green;"|Ok |2013/03/31 | |- |SageMCom |2864-000000-002 |FAST2864_v6740S |style="color:red;"|X |style="color:red;"|X |2013/03/31 | |} (* Note that if you do this, you're changing the Ethernet address which the cablemodem sees; this often requires power-cycling that modem so it will accept traffic from the new device, and again when you switch back.) 0db2f6559ba633624468f150872b7ad15b280ae0 87 60 2013-04-05T16:18:42Z Baylink 4 '''CPE''' stands for [http://en.wikipedia.org/wiki/Customer-premises_equipment Customer-premises equipment]. A consumer-grade or better router in your home which implements [[NAT]] can block some outbound forged attack traffic, which might be generated by malware you don't know your computers have on them, so it is still useful, even though it is [[egress filtering]]. The following table shows a list of CPE tested with spoofing verification [[projects]]. In the 4th and 5th columns, a green 'Ok' means that the router drops the forged traffic as it should; a red 'X' means that the traffic passes through. If you have such a router, and are inclined to grab one or more of the testing programs listed on the [[projects]] page and tun it, please add your data here. Note that you should say where you're testing from, "Road Runner Tampa Bay" for example, in the last column. If your ISP already implements BCP38, you can't really test CPE, so you should probably run the testers on a PC connected directly to your DSL or cablemodem first*. {| class="wikitable" |- !scope="col"|Vendor !scope="col"|Model !scope="col"|Firmware !scope="col"|BCP38.info !scope="col"|Spoofer (MIT) !scope="col"|Last Test !scope="col"|ISP |- |Thomson |SpeedTouch 516 |5.3.2.6.0 |style="color:green;"|Ok |style="color:green;"|Ok |2013/03/31 |- |SageMCom |2864-000000-002 |FAST2864_v6740S |style="color:red;"|X |style="color:red;"|X |2013/03/31 |} (* Note that if you do this, you're changing the Ethernet address which the cablemodem sees; this often requires power-cycling that modem so it will accept traffic from the new device, and again when you switch back.) ead62d1462cb6d222b7c0f70b11c7d9bf9400d17 60 59 2013-04-04T16:20:34Z BCP38 Moderator 1 CPE stand for [http://en.wikipedia.org/wiki/Customer-premises_equipment Customer-premises equipment] The following table show a list of CPE tested with spoofing verification [[projects]]. {| class="wikitable" |- !scope="col"|Vendor !scope="col"|Model !scope="col"|Firmware !scope="col"|BCP38.info !scope="col"|Spoofer (MIT) !scope="col"|Last Test |- |Thomson |SpeedTouch 516 |5.3.2.6.0 |style="color:green;"|Ok |style="color:green;"|Ok |2013/03/31 |- |SageMCom |2864-000000-002 |FAST2864_v6740S |style="color:red;"|X |style="color:red;"|X |2013/03/31 |} 949a6c86d43c9b3d7e1bb694ca303eb28a573644 59 58 2013-04-04T16:07:21Z BCP38 Moderator 1 CPE stand for [http://en.wikipedia.org/wiki/Customer-premises_equipment Customer-premises equipment] The following table show a list of CPE tested with knowed projects. {| class="wikitable" |- !scope="col"|Vendor !scope="col"|Model !scope="col"|Firmware !scope="col"|BCP38.info !scope="col"|Spoofer (MIT) !scope="col"|Last Test |- |Thomson |SpeedTouch 516 |5.3.2.6.0 |style="color:green;"|Ok |style="color:green;"|Ok |2013/03/31 |- |SageMCom |2864-000000-002 |FAST2864_v6740S |style="color:red;"|X |style="color:red;"|X |2013/03/31 |} 571c789c20118fffa758adf3a45f0dc400a9183b 58 2013-04-04T16:04:04Z BCP38 Moderator 1 Created page with "CPE stand for [http://en.wikipedia.org/wiki/Customer-premises_equipment Customer-premises equipment] The following table show a list of CPE testing with different project. {..." CPE stand for [http://en.wikipedia.org/wiki/Customer-premises_equipment Customer-premises equipment] The following table show a list of CPE testing with different project. {| class="wikitable" |- !scope="col"|Vendor !scope="col"|Model !scope="col"|Firmware !scope="col"|BCP38.info !scope="col"|Spoofer (MIT) !scope="col"|Last Test |- |Thompson |SpeedTouch 516 |5.3.2.6.0 |Ok |Ok |2013/03/31 |- |SageMCom |2864-000000-002 |FAST2864_v6740S |X |X |2013/03/31 |} 893d31596b504250cb958c1795e3498e3ee37d67 0 9 16 2013-03-29T17:37:45Z Baylink 4 Created page with "The ''Default-Free Zone'' is the informal name for the collection of networks (really, routers), where there is no default route set on any router; '''all''' networks to which..." The ''Default-Free Zone'' is the informal name for the collection of networks (really, routers), where there is no default route set on any router; '''all''' networks to which the router may need to send a packet must have an explicit route in the routing table. All [[tier 1]] networks are expected to live within the DFZ. d91ca0655d9548272dda800c54187ac08b5cf59a 0 4 117 8 2014-01-17T03:38:32Z Baylink 4 '''Denial of Service Attacks''' are any type of attack on anything that keeps the legitimate owner or user from utilizing their own resources, generally by exploiting a security provision that allows only a certain number of failed attempts at access, but sometimes simply by overloading the resource or the access paths to it. An example of the former type might be someone purposely making a number of incorrect attempts to open a digital door lock, causing it to go into a lockdown mode for some amount of time -- this might be to keep Good Guys from getting in to thwart a burglary being conducted inside. An example of the latter type would be a person or organization conducting an attack on a computer service operated by someone they don't like by sending more traffic to the server than can be handled reliably by either the server itself or the communications paths leading to it. This sort of attack can be planned for by making the service distributed: putting servers to provide it in more than one place on more than one network and [[backbone]]. But while service provision can be distributed, so can the [[Distributed Denial Of Service Attacks|attacks]]. b90f04434d7d36d5400c5a04661c96defa0631c6 8 2013-03-29T15:55:49Z Baylink 4 Created page with "'''Denial of Service Attacks''' are any type of attack on anything that keeps the legitimate owner or user from utilizing their own resources, generally by exploiting a securi..." '''Denial of Service Attacks''' are any type of attack on anything that keeps the legitimate owner or user from utilizing their own resources, generally by exploiting a security provision that allows only a certain number of failed attempts at access, but sometimes simply by overloading the resource or the access paths to it. An example of the former type might be someone purposely making a number of incorrect attempts to open a digital door lock, causing it to go into a lockdown mode for some amount of time -- this might be to keep Good Guys from getting in to thwart a burglary being conducted inside. An example of the latter type would be a person or organization conducting an attack on a computer service operated by someone they don't like by sending more traffic to the server than can be handled reliably by either the server itself or the communications paths leading to it. This sort of attack can be planned for by making the service distributed: putting servers to provide it in more than one place on more than one network and [[backbone]]. But while service provision can be distributed, so can the [[Distributed Denial Of Service attacks|attacks]]. 1f6843e65340c605e8cd97fac595e5b0391f4a1d 0 10 119 118 2014-01-17T03:40:55Z Baylink 4 '''Distributed Denial Of Service Attacks''' differ from [[Denial of Service Attacks|the normal sort]] in that the source of the attack is itself 'distributed'; instead of coming from one machine, it comes from a large number; hundreds, thousands, or millions, generally with command and control from one or many points, often in a 'botnet'. This sort of attack is more difficult to mitigate than the usual type because there's often no good choke point at which to drop the incoming attack packets -- and they may come in slowly enough from each attacking host that you can't even tell they're an attack; they may be valid requests, just in unsupportable numbers. Whether the attack is distributed or not, though, the attacker may make it even harder to shut down by obscuring the source of the attack -- by spoofing the source IP addresses in the attack packets. '''This''' is the part of the picture that BCP38 addresses: making those spoofed packets fall on the floor before entering the Internet at large. 3b7f6a4c63339925684fefc96385e82d85581708 118 18 2014-01-17T03:39:26Z Baylink 4 Add the opposing cross-link '''Distributed Denial Of Service Attacks''' differ from [[Denial of Service Attacks|the normal sort]] in that the source of the attack is itself 'distributed'; instead of coming from one machine, it comes from a large number; hundreds, thousands, or millions, generally with command and control from one or many points, often in a 'botnet'. This sort of attack is more difficult to mitigate than the usual type because there's often no good choke point at which to drop the incoming attack packets -- and they may come in slowly enough from each attacking host that you can't even tell they're an attack; they may be valid requests, just in unsupportable numbers. 5e7c867f518f7cd8fc955afa5f29d453df423b5b 18 2013-03-29T17:43:53Z Baylink 4 Created page with "'''Distributed Denial Of Service Attacks''' differ from the normal sort in that the source of the attack is itself 'distributed'; instead of coming from one machine, it comes ..." '''Distributed Denial Of Service Attacks''' differ from the normal sort in that the source of the attack is itself 'distributed'; instead of coming from one machine, it comes from a large number; hundreds, thousands, or millions, generally with command and control from one or many points, often in a 'botnet'. This sort of attack is more difficult to mitigate than the usual type because there's often no good choke point at which to drop the incoming attack packets -- and they may come in slowly enough from each attacking host that you can't even tell they're an attack; they may be valid requests, just in unsupportable numbers. bf09e0e73fcb283bfc63cd7bd8eafba333d07b2e 0 38 116 2014-01-17T03:36:13Z Baylink 4 Created page with "'''Egress filtering''' is filtering packets which ''leave'' a network, as opposed to ingress filtering, which affects packets coming in. Egress filtering is less useful overa..." '''Egress filtering''' is filtering packets which ''leave'' a network, as opposed to ingress filtering, which affects packets coming in. Egress filtering is less useful overall, because the filtering is applied by ''the people who are creating the packets'', and any malware which is creating those packets has the potential to reconfigure such filters to let them out. The difference between the two has to do with ''administrative span of control'' -- you want the filters under control unrelated to the possible sources of bad packets. 97db37526b2e805e6faee0b141782ca1dbd348e5 0 56 196 195 2016-11-21T16:16:21Z David Corlette 46 Tweak to display config =HOWTO:Ubiquiti= Ubiquiti is a manufacturer of popular home and small-business routers and wireless solutions. Most of their solutions run their own proprietary "EdgeOS" although the interface should be familiar and is (I think) based on Linux. ==Typical Router Configuration== Ubuquiti routers can be configured in many, many ways but this solution is designed primarily for typical small networks, with a small set of internal subnets and then a single outbound connection to the broader internet. The solution requires that you have configured and know the internal subnets and that those subnets won't change. There's no automatic routing here, this is all static configuration. In the default mode, the internal networks are configured as NAT subnets and internal addresses are rewritten as they egress the router. When running CAIDA's Spoofer tool, you are told that real spoofing can't be tested, but that all addresses are rewritten. From what I can tell, this means that a malicious internal system will be able to successfully send packets to a remote DOS target, but that target will see that network traffic as coming from the external address of your home router. Probably not what you want. ==Adding Egress Filtering== The solution here is fairly simple: add firewall rules to the internal interfaces to only accept traffic from the assigned subnet IPs. You can do this through the user interface: see the Firewall/NAT tab, then select Firewall Policies, then Add Rulesets as appropriate. I added a separate ruleset for each interface (three in my case), assigned the ruleset to the "IN" traffic for each interface, then created an "accept" rule for the known subnet traffic, and then set the default policy to "drop". [[File:Screen Shot 2016-11-21 at 11.12.10.png]] The resulting configuration snippet from the config file looks like this: name GUEST_IN { default-action drop description "Guest wireless in" rule 1 { action accept description "Local systems" log disable protocol all source { address 10.0.4.0/24 } } } 2ef2276387bb8ee88c516a07e017b304c0ebc130 195 2016-11-21T16:15:12Z David Corlette 46 Config for Ubiquiti =HOWTO:Ubiquiti= Ubiquiti is a manufacturer of popular home and small-business routers and wireless solutions. Most of their solutions run their own proprietary "EdgeOS" although the interface should be familiar and is (I think) based on Linux. ==Typical Router Configuration== Ubuquiti routers can be configured in many, many ways but this solution is designed primarily for typical small networks, with a small set of internal subnets and then a single outbound connection to the broader internet. The solution requires that you have configured and know the internal subnets and that those subnets won't change. There's no automatic routing here, this is all static configuration. In the default mode, the internal networks are configured as NAT subnets and internal addresses are rewritten as they egress the router. When running CAIDA's Spoofer tool, you are told that real spoofing can't be tested, but that all addresses are rewritten. From what I can tell, this means that a malicious internal system will be able to successfully send packets to a remote DOS target, but that target will see that network traffic as coming from the external address of your home router. Probably not what you want. ==Adding Egress Filtering== The solution here is fairly simple: add firewall rules to the internal interfaces to only accept traffic from the assigned subnet IPs. You can do this through the user interface: see the Firewall/NAT tab, then select Firewall Policies, then Add Rulesets as appropriate. I added a separate ruleset for each interface (three in my case), assigned the ruleset to the "IN" traffic for each interface, then created an "accept" rule for the known subnet traffic, and then set the default policy to "drop". [[File:Screen Shot 2016-11-21 at 11.12.10.png]] The resulting configuration snippet from the config file looks like this: name PRIV_WIR_IN { default-action drop description "Secure Wired In" rule 1 { action accept description "Local systems" log disable protocol all source { address 10.0.1.0/24 } } } 77be5a4cf106372d0b18bef106dcfc389b925c78 0 16 180 95 2015-02-18T07:12:07Z Fjb 41 correct a typo In this case, an old C7206VXR was used to test an upgrade from its a basic 2 full BGP routing tables to include uRPF support to inside interfaces. It is the perfect case to demonstrate that a good understanding/evaluation of your platform is a prerequisite to a stress free upgrade. The commands to apply are: # ip cef # interface fastethernet 5/0 # ip verify unicast source reachable-via rx With 60MB of free memory left, executing "ip cef" in order to enable "ip verify" on the inside interface resulted in a crash: Mar 30 20:05:02 EDT: %FIB-3-NOMEM: Malloc Failure, disabling CEF <snip> CEF should be considered as another full routing table, which in this case is over 70MB of RAM. All is not lost, an access list can be applied to the customer interface. While the solution is not as maintenance free as "ip verify" a note can be added to the banner to inform your technical personnel of the access list. 847dc5b86b44250958486d973536f67ad38347ce 95 38 2013-04-08T13:31:50Z BCP38 Moderator 1 In this case, an old C7206VXR was used to test an upgrade from its a basic 2 full BGP routing tables to include uRPF support to inside interfaces. It is the perfect case to demonstrate that a good understanding/evaluation of your platform is a prerequisite to a stress free upgrade. The commands to apply are: # ip cef # interface fastethernet 5/0 # ip verify unicast source reachable-via rx With 60MB of free memory left, executing "ip cef" in order to enable "ip verify" on the inside interface resulted in a crash: Mar 30 20:05:02 EDT: %FIB-3-NOMEM: Malloc Failure, disabling CEF <snip> CEF should be considered as another full routing table, which in this case is over 70MB of RAM. All is not lost, an access list can be applied to the customer interface. While the solution is not as maintenance free as "ip verify" a note can be added to the banner to inform your technical personal of the access list. cf59716beb362b62dc4faa41369cde49e5723bcb 38 37 2013-03-31T01:02:24Z BCP38 Moderator 1 In this case, an old C7206VXR was used to test an upgrade from its a basic 2 full BGP routing tables to include uRPF support to inside interfaces. It is the perfect case to demonstrate that a good understanding/evaluation of your platform is a prerequisite to a stress free upgrade. The commands to apply are: # ip cef # interface fastethernet 5/0 # ip verify unicast source reachable-via rx With 60MB of free memory, executing "ip cef" in order to enable "ip verify" on the inside interface resulted in a crash: Mar 30 20:05:02 EDT: %FIB-3-NOMEM: Malloc Failure, disabling CEF <snip> CEF should be considered as another full routing table. All is not lost, an access list can be applied to the customer interface. While the solution is not as maintenance free as "ip verify" a note can be added to the banner to inform your technical personal of the access list. bfdddc0c8d81910c9ecd96090bda5cde1c89aceb 37 2013-03-31T00:42:30Z BCP38 Moderator 1 Created page with " In this case, an old C7206VXR was used to test an upgrade from its a basic 2 full BGP routing tables to include uRPF support to inside interfaces. It is the perfect case to ..." In this case, an old C7206VXR was used to test an upgrade from its a basic 2 full BGP routing tables to include uRPF support to inside interfaces. It is the perfect case to demonstrate that a good understanding/evaluation of your platform is a prerequisite to a stress free upgrade. The commands to apply are: # ip cef # interface fastethernet 5/0 # ip verify unicast source reachable-via rx With 60MB free, executing "ip cef" in order to enable "ip verify" on the inside interface resulted in a crash: Mar 30 20:05:02 EDT: %FIB-3-NOMEM: Malloc Failure, disabling CEF <snip> CEF should be considered as another full routing table. All is not lost, an access list can be applied to the customer interface. While the solution is not as maintenance free as "ip verify" a note can be added to the banner to inform your technical personal of the access list. 4779d1dc5a97e07d1f7933a4ed48013459469b44 0 15 173 36 2014-10-18T19:44:08Z Dk 40 /* Experiences */ You will find a clear description from Cisco at the following link. http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html It cover both IOS and their firewall platforms PIX/ASA/FWSM. =Experiences= * [[HOWTO:Cisco:FW|Cisco ASA/PIX/FWSM]] * Good ol' [[HOWTO:CISCO:7200VXR|C7206VXR]] in a Lab d22e0114f1afb86b1e0a73fe0a4053801c0ef806 36 2013-03-31T00:17:06Z BCP38 Moderator 1 Created page with "You will find a clear description from Cisco at the following link. http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html It cover both IOS and their firewal..." You will find a clear description from Cisco at the following link. http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html It cover both IOS and their firewall platforms PIX/ASA/FWSM. =Experiences= * Good ol' [[HOWTO:CISCO:7200VXR|C7206VXR]] in a Lab e4b82a8311464fb545fdd3defdfcb62056c9fcfd 0 51 177 176 2014-10-18T20:11:27Z Dk 40 ==Enabling== Source address verification is not enabled by default on Cisco ASA, PIX, or FWSM firewalls. Enabling it is done per interface. The command to enable it on an interface is: ip verify reverse-path interface '''interface_name''' where '''interface_name''' is the name of the interface you wish to enable source address verification. This is the one-line command referenced elsewhere on the site. For situations where the above command does not consider all use cases, an access list can be used. This access list is no different than any other access list configured on an ASA/PIX/FWSM, so your security policy must be included within the same access list. This generally means that you're already denying invalid source addresses because they aren't already explicitly permitted by inbound access lists. However, if the "any" keyword is in use on an inbound access list, you may want to consider the use of an outbound access list on interfaces facing external networks like the Internet. Sample configuration with both inbound and outbound access lists: interface Gi0/0 nameif internal interface Gi0/1 nameif external access-list INTERNAL-IN extended permit tcp any any eq https access-list EXTERNAL-OUT extended permit ip ''valid source network #1'' any access-list EXTERNAL-OUT extended permit ip ''valid source network #2'' any access-list EXTERNAL-OUT extended permit ip ''valid source network #3'' any access-group INTERNAL-IN in interface internal access-group EXTERNAL-OUT out interface external ==Viewing drops/denials== show log * View logs, including denials due to failed source verification ==Additional commands== show conn count * Show the count of connections. Useful for baselining performance before and after a configuration change. A much larger connection count after enabling source verification could indicate a problem with your configuration. show xlate detail * Shows active connections, including source interfaces for addresses. These source interfaces [http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/route_overview.html do not necessarily match the routing table of the firewall]. ==Command reference== [http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/i3.html#wp1839270 ASA 8.0] 134a2d0a04147879d2653535645bfd3d139c0427 176 175 2014-10-18T20:07:24Z Dk 40 /* Enabling */ ==Enabling== Source address verification is not enabled by default on Cisco ASA, PIX, or FWSM firewalls. Enabling it is done per interface. The command to enable it on an interface is: ip verify reverse-path interface '''interface_name''' where '''interface_name''' is the name of the interface you wish to enable source address verification. This is the one-line command referenced elsewhere on the site. For situations where the above command does not consider all use cases, an access list can be used. This access list is no different than any other access list configured on an ASA/PIX/FWSM, so your security policy must be included within the same access list. This generally means that you're already denying invalid source addresses because they aren't already explicitly permitted by inbound access lists. However, if the "any" keyword is in use on an inbound access list, you may want to consider the use of an outbound access list on interfaces facing external networks like the Internet. Sample configuration with both inbound and outbound access lists: interface Gi0/0 nameif internal interface Gi0/1 nameif external access-list INTERNAL-IN extended permit tcp any any eq https access-list EXTERNAL-OUT extended permit ip ''valid source network #1'' any access-list EXTERNAL-OUT extended permit ip ''valid source network #2'' any access-list EXTERNAL-OUT extended permit ip ''valid source network #3'' any access-group INTERNAL-IN in interface internal access-group EXTERNAL-OUT out interface external ==Viewing drops/denials== show log * View logs, including denials due to failed source verification ==Additional commands== show conn count * Show the count of connections. Useful for baselining performance before and after a configuration change. A much larger connection count after enabling source verification could indicate a problem with your configuration. show xlate detail * Shows active connections, including source interfaces for addresses. These source interfaces [http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/route_overview.html do not necessarily match the routing table of the firewall]. fa60f20e0c52cbc900720b265ce71bcfc0bb1433 175 174 2014-10-18T20:06:23Z Dk 40 /* Enabling */ ==Enabling== Enabling source address verification on a Cisco ASA, PIX, or FWSM is done per interface. The command to enable it on an interface is: ip verify reverse-path interface '''interface_name''' where '''interface_name''' is the name of the interface you wish to enable source address verification. This is the one-line command referenced elsewhere on the site. For situations where the above command does not consider all use cases, an access list can be used. This access list is no different than any other access list configured on an ASA/PIX/FWSM, so your security policy must be included within the same access list. This generally means that you're already denying invalid source addresses because they aren't already explicitly permitted by inbound access lists. However, if the "any" keyword is in use on an inbound access list, you may want to consider the use of an outbound access list on interfaces facing external networks like the Internet. Sample configuration with both inbound and outbound access lists: interface Gi0/0 nameif internal interface Gi0/1 nameif external access-list INTERNAL-IN extended permit tcp any any eq https access-list EXTERNAL-OUT extended permit ip ''valid source network #1'' any access-list EXTERNAL-OUT extended permit ip ''valid source network #2'' any access-list EXTERNAL-OUT extended permit ip ''valid source network #3'' any access-group INTERNAL-IN in interface internal access-group EXTERNAL-OUT out interface external ==Viewing drops/denials== show log * View logs, including denials due to failed source verification ==Additional commands== show conn count * Show the count of connections. Useful for baselining performance before and after a configuration change. A much larger connection count after enabling source verification could indicate a problem with your configuration. show xlate detail * Shows active connections, including source interfaces for addresses. These source interfaces [http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/route_overview.html do not necessarily match the routing table of the firewall]. 9211967637b9df7f3f1b3d92604ce3524e17a5e7 174 2014-10-18T20:05:38Z Dk 40 Created page with "==Enabling== Enabling source address verification on a Cisco ASA, PIX, or FWSM is done per interface. The command to enable it on an interface is: ip verify reverse-path int..." ==Enabling== Enabling source address verification on a Cisco ASA, PIX, or FWSM is done per interface. The command to enable it on an interface is: ip verify reverse-path interface '''interface_name''' where '''interface_name''' is the name of the interface you wish to enable source address verification. This is the one-line command referenced elsewhere on the site. For situations where the above command does not consider all use cases, an access list can be used. This access list is no different than any other access list configured on an ASA/PIX/FWSM, so your security policy must be included within the same access list. This generally means that you're already denying invalid source addresses because they aren't already explicitly permitted. However, if the "any" keyword is in use on an inbound access list, you may want to consider the use of an outbound access list on interfaces facing external networks like the Internet. Sample configuration with both inbound and outbound access lists: interface Gi0/0 nameif internal interface Gi0/1 nameif external access-list INTERNAL-IN extended permit tcp any any eq https access-list EXTERNAL-OUT extended permit ip ''valid source network #1'' any access-list EXTERNAL-OUT extended permit ip ''valid source network #2'' any access-list EXTERNAL-OUT extended permit ip ''valid source network #3'' any access-group INTERNAL-IN in interface internal access-group EXTERNAL-OUT out interface external ==Viewing drops/denials== show log * View logs, including denials due to failed source verification ==Additional commands== show conn count * Show the count of connections. Useful for baselining performance before and after a configuration change. A much larger connection count after enabling source verification could indicate a problem with your configuration. show xlate detail * Shows active connections, including source interfaces for addresses. These source interfaces [http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/route_overview.html do not necessarily match the routing table of the firewall]. ac164bf814fb3a9e0872dad74ac4071508d2f1ee 0 40 123 2014-01-17T15:25:28Z Aled Morris 27 Created page with "MikroTik is a Latvian company which was founded in 1995 to develop routers and wireless ISP systems. MikroTik now provides hardware and software for Internet connectivity in m..." MikroTik is a Latvian company which was founded in 1995 to develop routers and wireless ISP systems. MikroTik now provides hardware and software for Internet connectivity in most of the countries around the world. [http://www.mikrotik.com/ MikroTik Home Page] =RouterOS v6= RouterOS version 6 introduced many features to enhance security including Unicast Reverse Path Filtering. ==RouterOS v6 Security by Tom Smyth== * [http://mum.mikrotik.com/presentations/HR13/legend.pdf Slides] * [http://tiktube.com/video/oLgD3gJJimoLlIDmLnFrFtGtIlqoHDoF= Video] 91658d0df3e346e1d044b6df78a9af2fa7c6d1e1 0 14 193 122 2016-11-21T15:55:22Z David Corlette 46 Added Ubiquiti =Identification= * How can I find out if my peer is supporting BCP38? =Configuration= In the following sections, you will find configuration and possibly analysis on deploying a BCP38 solution for the vendors listed. * [[HOWTO:Brocade|Brocade (Foundry)]] * [[HOWTO:Cisco|Cisco]] * [[HOWTO:EN|Extreme Networks]] * [[HOWTO:Juniper|Juniper]] * [[HOWTO:MikroTik|MikroTik]] * [[HOTWO:Ubiquiti|Ubiquiti]] =Prevention= * Identification of services used in DDoS Amplification. * Solutions for DNS * Solutions for SNMP * Solutions for Xyz 5a78aab6bfe2d4c0c09ab1ee7cc145fdef29bfc5 122 35 2014-01-17T15:13:59Z Aled Morris 27 /* Configuration */ Added MikroTik page =Identification= * How can I find out if my peer is supporting BCP38? =Configuration= In the following sections, you will find configuration and possibly analysis on deploying a BCP38 solution for the vendors listed. * [[HOWTO:Brocade|Brocade (Foundry)]] * [[HOWTO:Cisco|Cisco]] * [[HOWTO:EN|Extreme Networks]] * [[HOWTO:Juniper|Juniper]] * [[HOWTO:MikroTik|MikroTik]] =Prevention= * Identification of services used in DDoS Amplification. * Solutions for DNS * Solutions for SNMP * Solutions for Xyz 28dd322adf46e49b52cd64fad2f3a24cf6bd7a7f 35 34 2013-03-31T00:12:10Z BCP38 Moderator 1 /* Configuration */ =Identification= * How can I find out if my peer is supporting BCP38? =Configuration= In the following sections, you will find configuration and possibly analysis on deploying a BCP38 solution for the vendors listed. * [[HOWTO:Brocade|Brocade (Foundry)]] * [[HOWTO:Cisco|Cisco]] * [[HOWTO:EN|Extreme Networks]] * [[HOWTO:Juniper|Juniper]] =Prevention= * Identification of services used in DDoS Amplification. * Solutions for DNS * Solutions for SNMP * Solutions for Xyz d81f4ee3a9d66ccee15370783b25e4ab795b9cd7 34 33 2013-03-30T23:57:51Z BCP38 Moderator 1 =Identification= * How can I find out if my peer is supporting BCP38? =Configuration= In the following sections, you will find configuration and possibly analysis on deploying a BCP38 solution for the vendors listed. * Brocade (Foundry) * Cisco * Extreme Networks * Juniper =Prevention= * Identification of services used in DDoS Amplification. * Solutions for DNS * Solutions for SNMP * Solutions for Xyz 2a4960edf93023300fc90ab09f4f8cf120580382 33 2013-03-30T23:55:58Z BCP38 Moderator 1 Created page with " ==Identification== * How can I find out if my peer is supporting BCP38? ==Configuration== In the following sections, you will find configuration and possibly analysis on ..." ==Identification== * How can I find out if my peer is supporting BCP38? ==Configuration== In the following sections, you will find configuration and possibly analysis on deploying a BCP38 solution for the vendors listed. * Brocade (Foundry) * Cisco * Extreme Networks * Juniper ==Prevention== * Identification of services used in DDoS Amplification. * Solutions for DNS * Solutions for SNMP * Solutions for Xyz 161b19370ea885662e62bdd500730f21f3c839fc 0 12 26 2013-03-30T19:10:55Z Baylink 4 Created page with "'''IP Addresses''' are the addresses used to determine where a packet on the Internet is going, so that routers can decide how to send it along to its next hop. They're also ..." '''IP Addresses''' are the addresses used to determine where a packet on the Internet is going, so that routers can decide how to send it along to its next hop. They're also used to identify where the packet came from, so that the other end knows how to address its reply packets, so that they go back to the server that started the exchange. The initial design of the Internet didn't pay much attention to source IP addressess; all routers need is the destination, to determine which adjacent router to send the packet to. But as the Internet has matured, it has become more complex, and more fully used by non-technical entities like governments and banks, and the reasons why a packet might appear at a router with a source address that router does not have a connection back to have increased. These reasons might be valid -- an end site with a smart, 2-port router which knows how to do load-balancing, and sometimes send packets out its port B with the IP address of its port A, which belongs to a different Internet Access Provider -- or they might be invalid; they might be evidence of either a misconfigured endpoint system, or one which is purposefully participating in some kind of attack on a remote system, and does not want the packets it's sending to be identifiable as to their source. Successfull [[ingress filtering]] will block the latter packets while making it possible still to forward along the former. 5a58c3d3893d263a016408b5c951f03f18a3b891 0 6 12 2013-03-29T17:25:56Z Baylink 4 Created page with "Each IP packet -- the fundamental unit of data transmission over [[The Internet]] -- has a number of pieces of metadata attached to it, generally called 'headers'. The most i..." Each IP packet -- the fundamental unit of data transmission over [[The Internet]] -- has a number of pieces of metadata attached to it, generally called 'headers'. The most important of these headers are the source and destination addresses. '''IP Source Address Spoofing''' is the practice of sending those packets out with a forged, incorrect source address. This generally means that the receiver will not be able to reply to you, but for the purposes of an attacker, this is a feature, rather than a bug. It is possible to send out IP packets with a source address which is not that of the interface you're sending them through in one other case: when a host or network is [[multihomed]] -- when it has more than one network connection. Sometimes in this case, packets will be sent out the "wrong" network connection, but the destination site will still be able to reply because the address really does point to the sending host; it merely doesn't do so ''on the network over which the packet was sent''. Because this is possible, you cannot always assume that a packet being received with an address you didn't expect is a fraudulent, attacking packet, and exceptions must be able to be made by people implementing BCP38. 654981402f0e9a9cabbcfd8149221ea2d1b959ef 0 23 49 2013-03-31T15:13:20Z Baylink 4 Created page with "=== What is BCP38? === === What Does It Mean To Me? === === How Do I Tell If I Have It Already? === === How Does Having It Affect Me? === === How Does ''Not'' Having It Af..." === What is BCP38? === === What Does It Mean To Me? === === How Do I Tell If I Have It Already? === === How Does Having It Affect Me? === === How Does ''Not'' Having It Affect Me? === === How Do I Set It Up? === === What Does It Cost Me? === 2c2afe78d8dc33f99214093305c22d0e803ce441 0 24 51 50 2013-03-31T15:16:47Z Baylink 4 '''"Backbone" networks''', in general, are networks whose primary customers are other networks, be they [[tier 1]] or lower; you sell transit to people who operate smaller networks, and peer with larger ones; you generally have a large amount of this type of traffic, even if you also provision circuits directly to end-users. In this section, we'll discuss how BCP38 applies to you ''as a backbone operator''; if you also sell transit or have end-user customers, see also those sections. === What is BCP38? === === What Does It Mean To Me? === === How Do I Tell If I Have It Already? === === How Does Having It Affect Me? === === How Does ''Not'' Having It Affect Me? === === How Do I Set It Up? === === What Does It Cost Me? === d1034dd42f1720874d965644c53790fcdafb706d 50 2013-03-31T15:16:28Z Baylink 4 Created page with "'''"Backbone" networks''', in general, are networks whose primary customers are other networks, be they [[tier 1]] or lower; you sell transit to people who operate smaller net..." '''"Backbone" networks''', in general, are networks whose primary customers are other networks, be they [[tier 1]] or lower; you sell transit to people who operate smaller networks, and peer with larger ones; you generally have a large amount of this type of traffic, even if you also provision circuits directly to end-users. In this section, we'll discuss how BCP38 applies to you ''as a backbone operator''; if you also sell transit or have end-user customers, see also those sections. === What is BCP38? === === What Does It Mean To Me? === === How Do I Tell If I Have It Already? === === How Does Having It Affect Me? === === How Does ''Not'' Having It Affect Me? === === How Do I Set It Up? === === What Does It Cost Me? === c9bb773104e97d41101134bd2a43a1901a7012e5 0 13 163 121 2014-10-16T17:37:27Z Baylink 4 This page explains [[Main Page|BCP38]] to end-users, people who have an internet connection, and either a single PC, or perhaps a router and a couple of PCs, a tablet, a smart TV set, and an XBox, or the like. Homes, and very small offices. If you have a larger network, see the Main Page for links to pages which discuss BCP38 in those contexts. === What is BCP38? === BCP38 is a practice for making it harder for people to attack the Internet and servers and websites you connect to over it; it's a way for ISPs to set up their equipment so that end-user computers -- like yours -- cannot send traffic through it with forged return addresses. This is important because this sort of forged traffic is often used for this type of attack, and if the return addresses are forged, then the person being attacked (and their network provider, in turn) cannot determine whom to contact to report the attack, so that it can be shut down. Just as importantly: if your computer gets infected by malware, then your provider can inform you that it's sending forged attack traffic '''if''' they implement BCP38, so that you can get it fixed. If they don't, you might never know. === What Does It Mean To Me? === For end-users, mostly what it means to you is that it keeps your computer from contributing to such an attack if it is infected by '[[malware]]', and possibly made part of a '[[botnet]]'; if such a malicious program somehow finds its way onto your computer and is told to launch such an attack, the traffic it sends out will either be blocked because it has forged return addresses, or will at least be traceable, so that you can be notified, and take steps to remove the bad programs from your PC. === How Do I Tell If I Have It Already? === There are several research [[projects]] which provide software that you can run which will tell you if your ISP has already implemented BCP38 or not. Some of these provide simple yes/no answers, while others do a bit more testing, and provide more comprehensive results. === How Does Having It Affect Me? === For small end-users, people with just one PC, or a few PCs, maybe a smart TV and a game console, and a consumer router or wireless router? You shouldn't ever even notice if your ISP has enabled BCP38; it has no effect whatever on normal, valid internet traffic. If you're a small to medium business, see those pages. === How Does ''Not'' Having It Affect Me? === If your ISP does ''not'' presently implement BCP38, then they are contributing to bad weather on the Internet; some of the [[sample attacks|attacks]] and types of attacks which BCP38 prevents can cause insanely large traffic flows all to converge at one spot on the Internet; an attack in March 2013 caused 300 ''gigabits per second'' of attack traffic to one site. That's '''two thousand times''' the fastest Verizon FiOS connection you can get; the attack likely came from over 100,000 individual infected PCs, or more. Think of BCP38 as being like the law that forbids you to get out of your running car in a parking lot and leave it there while you go in a store: if someone walks up and drives off in it, and hits a bunch of people, *you* are responsible. While at the moment, the responsibility for the attacks BCP38 can prevent is moral, rather than legal, we never know what might change in the future. BCP38: Ask For It By Name. :-) (In practice, if you call your cable or DSL ISP today and ask if they implement BCP38, your odds of getting someone who knows what that means are about 1:1000. That's what we're trying to change. If a million people this year do it... it will.) === How Do I Set It Up? === In general, you don't have to. If you're an end-user, implementing BCP38 is the responsibility of your ISP, be they dialup, cablemodem, DSL, or 'fiber'. The faster your connection, the more important it is. If you don't already have a router or wireless router at your home or very small business, you probably should, and most '[[CPE]]' routers will provide you with some in-house blocking for many (though possibly not all) types of forged attack packets. If you have a router, or are going to get one, and it uses multiple uplink connections to different ISPs, then you need to see the small business page as well. === What Does It Cost Me? === Generally, it shouldn't cost you anything--your ISP does the work--unless you don't have a router, and you want to get one. Decent high-speed consumer routers are well under $100 these days, and often under $50, even for wireless models. Well, ok, it might cost you the time to call your ISP on the phone and ask them if they implement BCP38. And to listen to the front-line guys say "implement what-now?" :-) 159e103f34bf04b04af96f865b881aab0305aa25 121 90 2014-01-17T03:48:05Z Baylink 4 /* What is BCP38? */ This page explains BCP38 to end-users, people who have an internet connection, and either a single PC, or perhaps a router and a couple of PCs, a tablet, a smart TV set, and an XBox, or the like. Homes, and very small offices. If you have a larger network, see the Main Page for links to pages which discuss BCP38 in those contexts. === What is BCP38? === BCP38 is a practice for making it harder for people to attack the Internet and servers and websites you connect to over it; it's a way for ISPs to set up their equipment so that end-user computers -- like yours -- cannot send traffic through it with forged return addresses. This is important because this sort of forged traffic is often used for this type of attack, and if the return addresses are forged, then the person being attacked (and their network provider, in turn) cannot determine whom to contact to report the attack, so that it can be shut down. Just as importantly: if your computer gets infected by malware, then your provider can inform you that it's sending forged attack traffic '''if''' they implement BCP38, so that you can get it fixed. If they don't, you might never know. === What Does It Mean To Me? === For end-users, mostly what it means to you is that it keeps your computer from contributing to such an attack if it is infected by '[[malware]]', and possibly made part of a '[[botnet]]'; if such a malicious program somehow finds its way onto your computer and is told to launch such an attack, the traffic it sends out will either be blocked because it has forged return addresses, or will at least be traceable, so that you can be notified, and take steps to remove the bad programs from your PC. === How Do I Tell If I Have It Already? === There are several research [[projects]] which provide software that you can run which will tell you if your ISP has already implemented BCP38 or not. Some of these provide simple yes/no answers, while others do a bit more testing, and provide more comprehensive results. === How Does Having It Affect Me? === For small end-users, people with just one PC, or a few PCs, maybe a smart TV and a game console, and a consumer router or wireless router? You shouldn't ever even notice if your ISP has enabled BCP38; it has no effect whatever on normal, valid internet traffic. If you're a small to medium business, see those pages. === How Does ''Not'' Having It Affect Me? === If your ISP does ''not'' presently implement BCP38, then they are contributing to bad weather on the Internet; some of the [[sample attacks|attacks]] and types of attacks which BCP38 prevents can cause insanely large traffic flows all to converge at one spot on the Internet; an attack in March 2013 caused 300 ''gigabits per second'' of attack traffic to one site. That's '''two thousand times''' the fastest Verizon FiOS connection you can get; the attack likely came from over 100,000 individual infected PCs, or more. Think of BCP38 as being like the law that forbids you to get out of your running car in a parking lot and leave it there while you go in a store: if someone walks up and drives off in it, and hits a bunch of people, *you* are responsible. While at the moment, the responsibility for the attacks BCP38 can prevent is moral, rather than legal, we never know what might change in the future. BCP38: Ask For It By Name. :-) (In practice, if you call your cable or DSL ISP today and ask if they implement BCP38, your odds of getting someone who knows what that means are about 1:1000. That's what we're trying to change. If a million people this year do it... it will.) === How Do I Set It Up? === In general, you don't have to. If you're an end-user, implementing BCP38 is the responsibility of your ISP, be they dialup, cablemodem, DSL, or 'fiber'. The faster your connection, the more important it is. If you don't already have a router or wireless router at your home or very small business, you probably should, and most '[[CPE]]' routers will provide you with some in-house blocking for many (though possibly not all) types of forged attack packets. If you have a router, or are going to get one, and it uses multiple uplink connections to different ISPs, then you need to see the small business page as well. === What Does It Cost Me? === Generally, it shouldn't cost you anything--your ISP does the work--unless you don't have a router, and you want to get one. Decent high-speed consumer routers are well under $100 these days, and often under $50, even for wireless models. Well, ok, it might cost you the time to call your ISP on the phone and ask them if they implement BCP38. And to listen to the front-line guys say "implement what-now?" :-) aad53471059112d627eadc94c281f271711ce968 90 86 2013-04-05T16:22:43Z Baylink 4 This page explains BCP38 to end-users, people who have an internet connection, and either a single PC, or perhaps a router and a couple of PCs, a tablet, a smart TV set, and an XBox, or the like. Homes, and very small offices. If you have a larger network, see the Main Page for links to pages which discuss BCP38 in those contexts. === What is BCP38? === BCP38 is a practice for making it harder for people to attack the Internet and servers and websites you connect to over it; it's a way for ISPs to set up their equipment so that end-user computers cannot send traffic through it with forged return addresses. This is important because this sort of forged traffic is often used for this type of attack, and if the return addresses are forged, then the person being attacked (and their network provider, in turn) cannot determine whom to contact to report the attack, so that it can be shut down. === What Does It Mean To Me? === For end-users, mostly what it means to you is that it keeps your computer from contributing to such an attack if it is infected by '[[malware]]', and possibly made part of a '[[botnet]]'; if such a malicious program somehow finds its way onto your computer and is told to launch such an attack, the traffic it sends out will either be blocked because it has forged return addresses, or will at least be traceable, so that you can be notified, and take steps to remove the bad programs from your PC. === How Do I Tell If I Have It Already? === There are several research [[projects]] which provide software that you can run which will tell you if your ISP has already implemented BCP38 or not. Some of these provide simple yes/no answers, while others do a bit more testing, and provide more comprehensive results. === How Does Having It Affect Me? === For small end-users, people with just one PC, or a few PCs, maybe a smart TV and a game console, and a consumer router or wireless router? You shouldn't ever even notice if your ISP has enabled BCP38; it has no effect whatever on normal, valid internet traffic. If you're a small to medium business, see those pages. === How Does ''Not'' Having It Affect Me? === If your ISP does ''not'' presently implement BCP38, then they are contributing to bad weather on the Internet; some of the [[sample attacks|attacks]] and types of attacks which BCP38 prevents can cause insanely large traffic flows all to converge at one spot on the Internet; an attack in March 2013 caused 300 ''gigabits per second'' of attack traffic to one site. That's '''two thousand times''' the fastest Verizon FiOS connection you can get; the attack likely came from over 100,000 individual infected PCs, or more. Think of BCP38 as being like the law that forbids you to get out of your running car in a parking lot and leave it there while you go in a store: if someone walks up and drives off in it, and hits a bunch of people, *you* are responsible. While at the moment, the responsibility for the attacks BCP38 can prevent is moral, rather than legal, we never know what might change in the future. BCP38: Ask For It By Name. :-) (In practice, if you call your cable or DSL ISP today and ask if they implement BCP38, your odds of getting someone who knows what that means are about 1:1000. That's what we're trying to change. If a million people this year do it... it will.) === How Do I Set It Up? === In general, you don't have to. If you're an end-user, implementing BCP38 is the responsibility of your ISP, be they dialup, cablemodem, DSL, or 'fiber'. The faster your connection, the more important it is. If you don't already have a router or wireless router at your home or very small business, you probably should, and most '[[CPE]]' routers will provide you with some in-house blocking for many (though possibly not all) types of forged attack packets. If you have a router, or are going to get one, and it uses multiple uplink connections to different ISPs, then you need to see the small business page as well. === What Does It Cost Me? === Generally, it shouldn't cost you anything--your ISP does the work--unless you don't have a router, and you want to get one. Decent high-speed consumer routers are well under $100 these days, and often under $50, even for wireless models. Well, ok, it might cost you the time to call your ISP on the phone and ask them if they implement BCP38. And to listen to the front-line guys say "implement what-now?" :-) 6ce057dc145e2ff90a3e1865cc93c0545f5e8b53 86 85 2013-04-05T16:12:57Z Baylink 4 /* What Does It Cost Me? */ === What is BCP38? === BCP38 is a practice for making it harder for people to attack the Internet and servers and websites you connect to over it; it's a way for ISPs to set up their equipment so that end-user computers cannot send traffic through it with forged return addresses. This is important because this sort of forged traffic is often used for this type of attack, and if the return addresses are forged, then the person being attacked (and their network provider, in turn) cannot determine whom to contact to report the attack, so that it can be shut down. === What Does It Mean To Me? === For end-users, mostly what it means to you is that it keeps your computer from contributing to such an attack if it is infected by '[[malware]]', and possibly made part of a '[[botnet]]'; if such a malicious program somehow finds its way onto your computer and is told to launch such an attack, the traffic it sends out will either be blocked because it has forged return addresses, or will at least be traceable, so that you can be notified, and take steps to remove the bad programs from your PC. === How Do I Tell If I Have It Already? === There are several research [[projects]] which provide software that you can run which will tell you if your ISP has already implemented BCP38 or not. Some of these provide simple yes/no answers, while others do a bit more testing, and provide more comprehensive results. === How Does Having It Affect Me? === For small end-users, people with just one PC, or a few PCs, maybe a smart TV and a game console, and a consumer router or wireless router? You shouldn't ever even notice if your ISP has enabled BCP38; it has no effect whatever on normal, valid internet traffic. If you're a small to medium business, see those pages. === How Does ''Not'' Having It Affect Me? === If your ISP does ''not'' presently implement BCP38, then they are contributing to bad weather on the Internet; some of the [[sample attacks|attacks]] and types of attacks which BCP38 prevents can cause insanely large traffic flows all to converge at one spot on the Internet; an attack in March 2013 caused 300 ''gigabits per second'' of attack traffic to one site. That's '''two thousand times''' the fastest Verizon FiOS connection you can get; the attack likely came from over 100,000 individual infected PCs, or more. Think of BCP38 as being like the law that forbids you to get out of your running car in a parking lot and leave it there while you go in a store: if someone walks up and drives off in it, and hits a bunch of people, *you* are responsible. While at the moment, the responsibility for the attacks BCP38 can prevent is moral, rather than legal, we never know what might change in the future. BCP38: Ask For It By Name. :-) (In practice, if you call your cable or DSL ISP today and ask if they implement BCP38, your odds of getting someone who knows what that means are about 1:1000. That's what we're trying to change. If a million people this year do it... it will.) === How Do I Set It Up? === In general, you don't have to. If you're an end-user, implementing BCP38 is the responsibility of your ISP, be they dialup, cablemodem, DSL, or 'fiber'. The faster your connection, the more important it is. If you don't already have a router or wireless router at your home or very small business, you probably should, and most '[[CPE]]' routers will provide you with some in-house blocking for many (though possibly not all) types of forged attack packets. If you have a router, or are going to get one, and it uses multiple uplink connections to different ISPs, then you need to see the small business page as well. === What Does It Cost Me? === Generally, it shouldn't cost you anything--your ISP does the work--unless you don't have a router, and you want to get one. Decent high-speed consumer routers are well under $100 these days, and often under $50, even for wireless models. Well, ok, it might cost you the time to call your ISP on the phone and ask them if they implement BCP38. And to listen to the front-line guys say "implement what-now?" :-) a94799a6ee3cf7401770126606f39ef3d4083a66 85 84 2013-04-05T16:11:11Z Baylink 4 /* How Do I Set It Up? */ === What is BCP38? === BCP38 is a practice for making it harder for people to attack the Internet and servers and websites you connect to over it; it's a way for ISPs to set up their equipment so that end-user computers cannot send traffic through it with forged return addresses. This is important because this sort of forged traffic is often used for this type of attack, and if the return addresses are forged, then the person being attacked (and their network provider, in turn) cannot determine whom to contact to report the attack, so that it can be shut down. === What Does It Mean To Me? === For end-users, mostly what it means to you is that it keeps your computer from contributing to such an attack if it is infected by '[[malware]]', and possibly made part of a '[[botnet]]'; if such a malicious program somehow finds its way onto your computer and is told to launch such an attack, the traffic it sends out will either be blocked because it has forged return addresses, or will at least be traceable, so that you can be notified, and take steps to remove the bad programs from your PC. === How Do I Tell If I Have It Already? === There are several research [[projects]] which provide software that you can run which will tell you if your ISP has already implemented BCP38 or not. Some of these provide simple yes/no answers, while others do a bit more testing, and provide more comprehensive results. === How Does Having It Affect Me? === For small end-users, people with just one PC, or a few PCs, maybe a smart TV and a game console, and a consumer router or wireless router? You shouldn't ever even notice if your ISP has enabled BCP38; it has no effect whatever on normal, valid internet traffic. If you're a small to medium business, see those pages. === How Does ''Not'' Having It Affect Me? === If your ISP does ''not'' presently implement BCP38, then they are contributing to bad weather on the Internet; some of the [[sample attacks|attacks]] and types of attacks which BCP38 prevents can cause insanely large traffic flows all to converge at one spot on the Internet; an attack in March 2013 caused 300 ''gigabits per second'' of attack traffic to one site. That's '''two thousand times''' the fastest Verizon FiOS connection you can get; the attack likely came from over 100,000 individual infected PCs, or more. Think of BCP38 as being like the law that forbids you to get out of your running car in a parking lot and leave it there while you go in a store: if someone walks up and drives off in it, and hits a bunch of people, *you* are responsible. While at the moment, the responsibility for the attacks BCP38 can prevent is moral, rather than legal, we never know what might change in the future. BCP38: Ask For It By Name. :-) (In practice, if you call your cable or DSL ISP today and ask if they implement BCP38, your odds of getting someone who knows what that means are about 1:1000. That's what we're trying to change. If a million people this year do it... it will.) === How Do I Set It Up? === In general, you don't have to. If you're an end-user, implementing BCP38 is the responsibility of your ISP, be they dialup, cablemodem, DSL, or 'fiber'. The faster your connection, the more important it is. If you don't already have a router or wireless router at your home or very small business, you probably should, and most '[[CPE]]' routers will provide you with some in-house blocking for many (though possibly not all) types of forged attack packets. If you have a router, or are going to get one, and it uses multiple uplink connections to different ISPs, then you need to see the small business page as well. === What Does It Cost Me? === 858cd7ee90b261ae974a8290020a62c62e73130a 84 83 2013-04-05T16:11:00Z Baylink 4 /* How Do I Set It Up? */ === What is BCP38? === BCP38 is a practice for making it harder for people to attack the Internet and servers and websites you connect to over it; it's a way for ISPs to set up their equipment so that end-user computers cannot send traffic through it with forged return addresses. This is important because this sort of forged traffic is often used for this type of attack, and if the return addresses are forged, then the person being attacked (and their network provider, in turn) cannot determine whom to contact to report the attack, so that it can be shut down. === What Does It Mean To Me? === For end-users, mostly what it means to you is that it keeps your computer from contributing to such an attack if it is infected by '[[malware]]', and possibly made part of a '[[botnet]]'; if such a malicious program somehow finds its way onto your computer and is told to launch such an attack, the traffic it sends out will either be blocked because it has forged return addresses, or will at least be traceable, so that you can be notified, and take steps to remove the bad programs from your PC. === How Do I Tell If I Have It Already? === There are several research [[projects]] which provide software that you can run which will tell you if your ISP has already implemented BCP38 or not. Some of these provide simple yes/no answers, while others do a bit more testing, and provide more comprehensive results. === How Does Having It Affect Me? === For small end-users, people with just one PC, or a few PCs, maybe a smart TV and a game console, and a consumer router or wireless router? You shouldn't ever even notice if your ISP has enabled BCP38; it has no effect whatever on normal, valid internet traffic. If you're a small to medium business, see those pages. === How Does ''Not'' Having It Affect Me? === If your ISP does ''not'' presently implement BCP38, then they are contributing to bad weather on the Internet; some of the [[sample attacks|attacks]] and types of attacks which BCP38 prevents can cause insanely large traffic flows all to converge at one spot on the Internet; an attack in March 2013 caused 300 ''gigabits per second'' of attack traffic to one site. That's '''two thousand times''' the fastest Verizon FiOS connection you can get; the attack likely came from over 100,000 individual infected PCs, or more. Think of BCP38 as being like the law that forbids you to get out of your running car in a parking lot and leave it there while you go in a store: if someone walks up and drives off in it, and hits a bunch of people, *you* are responsible. While at the moment, the responsibility for the attacks BCP38 can prevent is moral, rather than legal, we never know what might change in the future. BCP38: Ask For It By Name. :-) (In practice, if you call your cable or DSL ISP today and ask if they implement BCP38, your odds of getting someone who knows what that means are about 1:1000. That's what we're trying to change. If a million people this year do it... it will.) === How Do I Set It Up? === In general, you don't have to. If you're an end-user, implementing BCP38 is the responsibility of your ISP, be they dialup, cablemodem, DSL, or 'fiber'. The faster your connection, the more important it is. If you don't already have a router or wireless router at your home or very small business, you probably should, and most '[[CPE]]' routers will provide you with some in-house blocking for many (though possibly not all) types of forged attack packets. If you have a router, or are going to get one, and it uses multiple uplink connections to different ISPs, then you need to see the small buisiness page as well. === What Does It Cost Me? === 71606e764571b70bfb9e0703c678a062b3479f38 83 82 2013-04-05T16:08:10Z Baylink 4 /* How Does Not Having It Affect Me? */ === What is BCP38? === BCP38 is a practice for making it harder for people to attack the Internet and servers and websites you connect to over it; it's a way for ISPs to set up their equipment so that end-user computers cannot send traffic through it with forged return addresses. This is important because this sort of forged traffic is often used for this type of attack, and if the return addresses are forged, then the person being attacked (and their network provider, in turn) cannot determine whom to contact to report the attack, so that it can be shut down. === What Does It Mean To Me? === For end-users, mostly what it means to you is that it keeps your computer from contributing to such an attack if it is infected by '[[malware]]', and possibly made part of a '[[botnet]]'; if such a malicious program somehow finds its way onto your computer and is told to launch such an attack, the traffic it sends out will either be blocked because it has forged return addresses, or will at least be traceable, so that you can be notified, and take steps to remove the bad programs from your PC. === How Do I Tell If I Have It Already? === There are several research [[projects]] which provide software that you can run which will tell you if your ISP has already implemented BCP38 or not. Some of these provide simple yes/no answers, while others do a bit more testing, and provide more comprehensive results. === How Does Having It Affect Me? === For small end-users, people with just one PC, or a few PCs, maybe a smart TV and a game console, and a consumer router or wireless router? You shouldn't ever even notice if your ISP has enabled BCP38; it has no effect whatever on normal, valid internet traffic. If you're a small to medium business, see those pages. === How Does ''Not'' Having It Affect Me? === If your ISP does ''not'' presently implement BCP38, then they are contributing to bad weather on the Internet; some of the [[sample attacks|attacks]] and types of attacks which BCP38 prevents can cause insanely large traffic flows all to converge at one spot on the Internet; an attack in March 2013 caused 300 ''gigabits per second'' of attack traffic to one site. That's '''two thousand times''' the fastest Verizon FiOS connection you can get; the attack likely came from over 100,000 individual infected PCs, or more. Think of BCP38 as being like the law that forbids you to get out of your running car in a parking lot and leave it there while you go in a store: if someone walks up and drives off in it, and hits a bunch of people, *you* are responsible. While at the moment, the responsibility for the attacks BCP38 can prevent is moral, rather than legal, we never know what might change in the future. BCP38: Ask For It By Name. :-) (In practice, if you call your cable or DSL ISP today and ask if they implement BCP38, your odds of getting someone who knows what that means are about 1:1000. That's what we're trying to change. If a million people this year do it... it will.) === How Do I Set It Up? === You can use one the those [[Projects|projects]] to verify if your modem/router (often called [[CPE]]) or [[ISP]] will stop your home computer(s) from sending spoofed packets. You will also find contributions about the level of BCP38 support, for your modem and routers, in the [[CPE]] page. Do not be shy to contribute yourself. === What Does It Cost Me? === 3f5c707d41493514559803a92dc503dab847cb2b 82 81 2013-04-05T16:01:45Z Baylink 4 /* How Does Having It Affect Me? */ === What is BCP38? === BCP38 is a practice for making it harder for people to attack the Internet and servers and websites you connect to over it; it's a way for ISPs to set up their equipment so that end-user computers cannot send traffic through it with forged return addresses. This is important because this sort of forged traffic is often used for this type of attack, and if the return addresses are forged, then the person being attacked (and their network provider, in turn) cannot determine whom to contact to report the attack, so that it can be shut down. === What Does It Mean To Me? === For end-users, mostly what it means to you is that it keeps your computer from contributing to such an attack if it is infected by '[[malware]]', and possibly made part of a '[[botnet]]'; if such a malicious program somehow finds its way onto your computer and is told to launch such an attack, the traffic it sends out will either be blocked because it has forged return addresses, or will at least be traceable, so that you can be notified, and take steps to remove the bad programs from your PC. === How Do I Tell If I Have It Already? === There are several research [[projects]] which provide software that you can run which will tell you if your ISP has already implemented BCP38 or not. Some of these provide simple yes/no answers, while others do a bit more testing, and provide more comprehensive results. === How Does Having It Affect Me? === For small end-users, people with just one PC, or a few PCs, maybe a smart TV and a game console, and a consumer router or wireless router? You shouldn't ever even notice if your ISP has enabled BCP38; it has no effect whatever on normal, valid internet traffic. If you're a small to medium business, see those pages. === How Does ''Not'' Having It Affect Me? === === How Do I Set It Up? === You can use one the those [[Projects|projects]] to verify if your modem/router (often called [[CPE]]) or [[ISP]] will stop your home computer(s) from sending spoofed packets. You will also find contributions about the level of BCP38 support, for your modem and routers, in the [[CPE]] page. Do not be shy to contribute yourself. === What Does It Cost Me? === 56c19d04518131787819de576b105c991934e7a8 81 80 2013-04-05T16:00:26Z Baylink 4 /* How Do I Tell If I Have It Already? */ === What is BCP38? === BCP38 is a practice for making it harder for people to attack the Internet and servers and websites you connect to over it; it's a way for ISPs to set up their equipment so that end-user computers cannot send traffic through it with forged return addresses. This is important because this sort of forged traffic is often used for this type of attack, and if the return addresses are forged, then the person being attacked (and their network provider, in turn) cannot determine whom to contact to report the attack, so that it can be shut down. === What Does It Mean To Me? === For end-users, mostly what it means to you is that it keeps your computer from contributing to such an attack if it is infected by '[[malware]]', and possibly made part of a '[[botnet]]'; if such a malicious program somehow finds its way onto your computer and is told to launch such an attack, the traffic it sends out will either be blocked because it has forged return addresses, or will at least be traceable, so that you can be notified, and take steps to remove the bad programs from your PC. === How Do I Tell If I Have It Already? === There are several research [[projects]] which provide software that you can run which will tell you if your ISP has already implemented BCP38 or not. Some of these provide simple yes/no answers, while others do a bit more testing, and provide more comprehensive results. === How Does Having It Affect Me? === === How Does ''Not'' Having It Affect Me? === === How Do I Set It Up? === You can use one the those [[Projects|projects]] to verify if your modem/router (often called [[CPE]]) or [[ISP]] will stop your home computer(s) from sending spoofed packets. You will also find contributions about the level of BCP38 support, for your modem and routers, in the [[CPE]] page. Do not be shy to contribute yourself. === What Does It Cost Me? === a1f3be04d0e5165729621107722c9fb1795845ce 80 79 2013-04-05T15:58:37Z Baylink 4 /* What Does It Mean To Me? */ === What is BCP38? === BCP38 is a practice for making it harder for people to attack the Internet and servers and websites you connect to over it; it's a way for ISPs to set up their equipment so that end-user computers cannot send traffic through it with forged return addresses. This is important because this sort of forged traffic is often used for this type of attack, and if the return addresses are forged, then the person being attacked (and their network provider, in turn) cannot determine whom to contact to report the attack, so that it can be shut down. === What Does It Mean To Me? === For end-users, mostly what it means to you is that it keeps your computer from contributing to such an attack if it is infected by '[[malware]]', and possibly made part of a '[[botnet]]'; if such a malicious program somehow finds its way onto your computer and is told to launch such an attack, the traffic it sends out will either be blocked because it has forged return addresses, or will at least be traceable, so that you can be notified, and take steps to remove the bad programs from your PC. === How Do I Tell If I Have It Already? === === How Does Having It Affect Me? === === How Does ''Not'' Having It Affect Me? === === How Do I Set It Up? === You can use one the those [[Projects|projects]] to verify if your modem/router (often called [[CPE]]) or [[ISP]] will stop your home computer(s) from sending spoofed packets. You will also find contributions about the level of BCP38 support, for your modem and routers, in the [[CPE]] page. Do not be shy to contribute yourself. === What Does It Cost Me? === 4813a2af0c8881d7fef6d35f7f4575573aeb2e52 79 74 2013-04-05T15:55:58Z Baylink 4 /* What is BCP38? */ === What is BCP38? === BCP38 is a practice for making it harder for people to attack the Internet and servers and websites you connect to over it; it's a way for ISPs to set up their equipment so that end-user computers cannot send traffic through it with forged return addresses. This is important because this sort of forged traffic is often used for this type of attack, and if the return addresses are forged, then the person being attacked (and their network provider, in turn) cannot determine whom to contact to report the attack, so that it can be shut down. === What Does It Mean To Me? === === How Do I Tell If I Have It Already? === === How Does Having It Affect Me? === === How Does ''Not'' Having It Affect Me? === === How Do I Set It Up? === You can use one the those [[Projects|projects]] to verify if your modem/router (often called [[CPE]]) or [[ISP]] will stop your home computer(s) from sending spoofed packets. You will also find contributions about the level of BCP38 support, for your modem and routers, in the [[CPE]] page. Do not be shy to contribute yourself. === What Does It Cost Me? === e53f6a38709b7a16da5351b74bc54d8faa8c9dcd 74 70 2013-04-04T18:01:48Z BCP38 Moderator 1 /* How Do I Set It Up? */ === What is BCP38? === === What Does It Mean To Me? === === How Do I Tell If I Have It Already? === === How Does Having It Affect Me? === === How Does ''Not'' Having It Affect Me? === === How Do I Set It Up? === You can use one the those [[Projects|projects]] to verify if your modem/router (often called [[CPE]]) or [[ISP]] will stop your home computer(s) from sending spoofed packets. You will also find contributions about the level of BCP38 support, for your modem and routers, in the [[CPE]] page. Do not be shy to contribute yourself. === What Does It Cost Me? === 2aef87fb9dfa3499eacf2704d91f6c2eb0d29425 70 69 2013-04-04T17:06:30Z BCP38 Moderator 1 /* How Do I Set It Up? */ === What is BCP38? === === What Does It Mean To Me? === === How Do I Tell If I Have It Already? === === How Does Having It Affect Me? === === How Does ''Not'' Having It Affect Me? === === How Do I Set It Up? === You can also use one the those [[Projects|projects]] to verify if your modem/router (often called [[CPE]]) or [[ISP]] will stop your home computer(s) from sending spoofed packets. You will find contributions about the level of BCP38 support, for your modem and routers, in the [[CPE]] page. Do not be shy to contribute yourself. === What Does It Cost Me? === 23459dbb2287f3c746c887b326494a1fa57e0a1e 69 61 2013-04-04T17:02:40Z BCP38 Moderator 1 /* What you can do? */ === What is BCP38? === === What Does It Mean To Me? === === How Do I Tell If I Have It Already? === === How Does Having It Affect Me? === === How Does ''Not'' Having It Affect Me? === === How Do I Set It Up? === You will find more information about this subject in this [[CPE]] page. You can also use one the those [[Projects|projects]] to verify if your [[CPE]] or [[ISP]] will stop your home computer(s) from sending spoofed packets. === What Does It Cost Me? === c3f2c40d645e5b60b0550e3b578b36168e37ba5b 61 57 2013-04-04T16:56:00Z BCP38 Moderator 1 /* How Do I Set It Up? */ === What is BCP38? === === What Does It Mean To Me? === === How Do I Tell If I Have It Already? === === How Does Having It Affect Me? === === How Does ''Not'' Having It Affect Me? === === How Do I Set It Up? === You will find more information about this subject in this [[CPE]] page. You can also use one the those [[Projects|projects]] to verify if your [[CPE]] or [[ISP]] will stop your home computer(s) from sending spoofed packets. === What Does It Cost Me? === === What you can do? === There is many project you can contribute to. * Spoofer project - http://spoofer.csail.mit.edu<br> Working on creating a state of how wide IP spoofing is still available. * Open Resolver Project - http://openresolverproject.org<br> Providing information on the state of Open Resolver and information on what to do about yours. And if you like coding and contributing new ideas: * Bindguard - http://bindguard.activezone.de<br> A BIND Log scanner use to reduce the impact of your Open Resolver to Amplification attacks. (This need heavy editing) 6f535e3f40122a5ab6542eaa215989599d7b26b7 57 45 2013-04-01T13:42:09Z BCP38 Moderator 1 === What is BCP38? === === What Does It Mean To Me? === === How Do I Tell If I Have It Already? === === How Does Having It Affect Me? === === How Does ''Not'' Having It Affect Me? === === How Do I Set It Up? === === What Does It Cost Me? === === What you can do? === There is many project you can contribute to. * Spoofer project - http://spoofer.csail.mit.edu<br> Working on creating a state of how wide IP spoofing is still available. * Open Resolver Project - http://openresolverproject.org<br> Providing information on the state of Open Resolver and information on what to do about yours. And if you like coding and contributing new ideas: * Bindguard - http://bindguard.activezone.de<br> A BIND Log scanner use to reduce the impact of your Open Resolver to Amplification attacks. (This need heavy editing) b16b999e1147716263528e20bfc8cb41f5f7d5d9 45 31 2013-03-31T15:09:47Z Baylink 4 /* What you can do */ === What is BCP38? === === What Does It Mean To Me? === === How Do I Tell If I Have It Already? === === How Does Having It Affect Me? === === How Does ''Not'' Having It Affect Me? === === How Do I Set It Up? === === What Does It Cost Me? === ==What you can do== There is many project you can contribute to: Spoofer project - http://spoofer.csail.mit.edu - Working on creating a state of how wide IP spoofing is still available. Bindguard - http://bindguard.activezone.de - A BIND Log scanner use to reduce the impact of your Open Resolver to Amplification attacks. Open Resolver Project - http://openresolverproject.org - Providing information on the state of Open Resolver and information on what to do about yours. (This need heavy editing) c0cbbabdf526e2d6c32f7baac1b55d7f797fed04 31 30 2013-03-30T23:15:57Z BCP38 Moderator 1 ==What you can do== There is many project you can contribute to: Spoofer project - http://spoofer.csail.mit.edu - Working on creating a state of how wide IP spoofing is still available. Bindguard - http://bindguard.activezone.de - A BIND Log scanner use to reduce the impact of your Open Resolver to Amplification attacks. Open Resolver Project - http://openresolverproject.org - Providing information on the state of Open Resolver and information on what to do about yours. (This need heavy editing) 894d95deaf9f3dd8f858408395c5256592df972e 30 29 2013-03-30T22:37:18Z BCP38 Moderator 1 ==What you can do== There is many project you can contribute to: Spoofer project - http://spoofer.csail.mit.edu - Working on creating a state of how wide is IP spoofing is still available. Bindguard - http://bindguard.activezone.de - A BIND Log scanner use to reduce the impact of your Open Resolver to Amplification attacks. Open Resolver Project - http://openresolverproject.org - Providing information on the state of Open Resolver and information on what to do about yours. (This need heavy editing) 41fdec7c2cdc0445d941138b3a90a3d14deba68e 29 28 2013-03-30T21:39:31Z BCP38 Moderator 1 ==What you can do== There is many project you can contribute to: Spoofer project - http://spoofer.csail.mit.edu - Working on creating a state of how wide is IP spoofing still available. Bindguard - http://bindguard.activezone.de - A BIND Log scanner use to reduce the impact of your Open Resolver to Amplification attacks. Open Resolver Project - http://openresolverproject.org - Providing information on the state of Open Resolver and information about what to do about yours. (This need heavy editing) b93f35bb9c19177fb050042decd34f258c791d22 28 2013-03-30T21:38:53Z BCP38 Moderator 1 Created page with " ==What you can do== There is many project you can contribute to: Spoofer project - http://spoofer.csail.mit.edu - Working on creating a state of how wide is IP spoofing st..." ==What you can do== There is many project you can contribute to: Spoofer project - http://spoofer.csail.mit.edu - Working on creating a state of how wide is IP spoofing still available. Bindguard - http://bindguard.activezone.de - A BIND Log scanner use to reduce the impact of your Open Resolver to Amplification attacks. Open Resolver Project - http://openresolverproject.org - Providing information on the state of Open Resolver and information about what to do about yours. *This need heavy editing* 638abab936456fc60cc5276fa0116f1e7bd0250f 0 37 108 2013-04-09T13:39:43Z Huguei 9 Created page with "Esta página explica BCP38 a usuarios finales, personas que tienen una conexión a Internet y solo un PC, o quizás un router y un par de PCs, una tablet, un dispositivo de sm..." Esta página explica BCP38 a usuarios finales, personas que tienen una conexión a Internet y solo un PC, o quizás un router y un par de PCs, una tablet, un dispositivo de smart TV, un XBox, o algo parecido. Hogares y oficinas muy pequeñas. Si tiene una red más grande que esto, busque en la Página Principal los enlaces a páginas que discutan BCP38 en esos contextos. === ¿Qué es BCP38? === BCP38 es una práctica para hacer más difícil a las personas atacar Internet y los servidores y sitios web donde la gente se conecta; es una manera como los Proveedores de Internet (ISP) pueden configurar sus equipos para que los computadores de los usuarios finales no puedan enviar tráfico usando direcciones falsificadas. Esto es importante porque este tipo de tráfico fraudulento es normalmente usado para este tipo de ataque, y si las direcciones de origen son falsificadas, las personas siendo atacadas (y sus proveedores de redes, en consecuencia) no podrán determinar a quién reportar el ataque, y así detenerlo. === ¿Qué significa para mí? === Para los usuarios finales esto significa que se puede evitar que sus computadores contribuyan en un ataque si están infectados con '[[malware]]', y posiblemente hechos parte de una '[[botnet]]'. Si uno de estos programas maliciosos se puede instalar en su computador y es intruido para lanzar uno de estos ataques, el tráfico que envíe será bloqueado porque usará una dirección de retorno falsificada, o bien al menos será fácilmente rastreable, con lo que el usuario podrá ser notificado y podrá tomar los pasos necesarios para borrar los programas maliciosos de su PC. === ¿Cómo puedo saber si ya lo tengo? === Existen bastantes [[proyectos]] de investigación que proveen de software que usted puede ejecutar y le informará si su Proveedor de Internet (ISP) ya implementó BCP38 o no. Algunos de estos entregan respuestas simples sí/no, mientras otros son un poco más profundos y entregan resultados más detallados. === ¿Cómo me afecta si lo tengo? === Para los usuarios finales pequeños; gente con solo un PC, o unos pocos PCs, quizás un smart TV y una consola de juegos, y un router hogareño con wifi inalámbrico; ni siquiera será capaz de darse cuenta si su ISP ha activado BCP38. No tendrá ningún efecto en el tráfico válido normal en Internet. Para los usuarios con una empresa pequeña o mediana, vea las siguientes páginas. === ¿Cómo me afecta el ''No'' tenerlo? === Si su ISP ''no'' implementa BCP38 actualmente, entonces están contribuyendo al mal clima en Internet; algunos de los [[sample attacks|ataques]] y tipos de ataque que previene BCP38 puede ocasionar cantidades impresionantes de flujo de tráfico que converge a un solo punto en Internet; un ataque en Marzo de 2013 ocasionó un tráfico de 300 ''gigabits por segundo'' dirigido a un sitio. Eso es '''dos mil veces''' la conexión más rápida que un ISP normal entrega; el ataque probablemente vino de más de 100.000 computadores individuales infectados. Imagina que BCP38 es como la ley que te prohíbe dejar un automóvil andando en un estacionamiento mientras vas a la tienda: si alguien se sube al automóvil y lo choca, y causa daño a un grupo de gente, *tu* eres el responsable. Aunque por el momento la responsabilidad de un ataque que BCP38 puede prevenir es moral más que legal, no sabemos si eso podría cambiar en el futuro. BCP38: Pídalo Por Su Nombre. :-) (En la práctica, si llama a su proveedor de cable o ADSL hoy, y pregunta si implementan BCP38, su probabilidad que alguien sepa de lo que está hablando es de 1 en 1.000. Eso es lo que estamos tratando de cambiar. Si un millón de personas lo hacen este año, eso lo logrará). === ¿Cómo lo puedo activar yo mismo? === Por lo general, usted no lo tiene que hacer. Si es un usuario final, la implementación de BCP38 es responsabilidad de su ISP, sea este por teléfono, cable, ADSL, o 'fibra'. Mientras más rápida sea su conexión, es más importante que lo hagan. Si aún no tiene un router (sea inalámbrico o no) en su hogar o en su negocio pequeño, probablemente será necesario que tenga uno. La mayor parte de los routers '[[CPE]]' le entregaŕa algún tipo de bloqueo dentro de su hogar para la mayoría (sino posiblemente todos) los tipos de ataque con paquetes falsificados. Si usted ya tiene un router, o está pensando comprar uno, y usa más de una conexión a distintos ISPs, entonces necesitará mirar también la página para las pequeñas empresas. === ¿Cuánto me costará? === Por lo general esto no debería costarle nada --su ISP es quien hace el trabajo-- a menos que no tenga un router y quiera comprar uno. Los routers buenos de alta velocidad para usuarios finales están muy por bajo de los 100 dólares en estos días, incluso bajo los 50 dólares, incluso hasta los modelos con red inalámbrica. Pero bueno, quizás le costará el tiempo en llamar a su ISP y preguntarles si implementan. Y escuchar al operador decirle "¿implementar qué cosa?" :-) 6e47d09587318ac4af30be0befcd1085f575ed96 0 21 172 159 2014-10-18T19:39:04Z Dk 40 /* How Do I Set It Up? */ === What is BCP38? === BCP38 is a Best Current Practice published by the IETF which outlines methods useful in filtering out packets which are injected with a spoofed source address into a network. BCP was ratified in May 2000. === What Does It Mean To Me? === Due to the ever-growing frequency and size of DDoS attacks directed towards enterprise customers, BCP38 is becoming a critical tool in helping mitigate DDoS. What it means to the enterprise is two fold: : Having an Internet Service Provider who is BCP38 compliant can help drop traffic if you come under DDoS attack. : Being BCP38 compliant can stop your devices participating in a DDoS Overall, implementing BCP38 will make the Internet a better place for all users, not just your network. === How Do I Tell If I Have It Already? === === How Does Having It Affect Me? === === How Does ''Not'' Having It Affect Me? === === How Do I Set It Up? === The exact steps to set up source address verification depends on the equipment that you use, its capabilities, and your topology. A deployment does not have to occur all at once and, like other aspects of network security, need not be perfect at every point in order to gain benefit. For example, if one of your routers cannot check source addresses without impacting performance, you may be able to perform the checking upstream or downstream of the device and still achieve the desired result. Below are some places where it can generally be enabled with no impact to valid traffic. In all cases, '''know your network''' and research all commands, including any possible undesired side effects, before making any changes. '''Use at your own risk.''' ====User LANs==== These LANs only contain desktops/laptops and possibly IP phones. These LANs are often the easiest to set up, but can also be the most work as these are often the most numerous type of network in an enterprise. Suggested deployment plan: * Confirm that all nodes on the LAN are actually endpoints. You may discover routers, firewalls, or other layer 3-aware devices on user LANs as part of your audit. You may also find users running VMs on their PCs that run software routers or firewalls. If you do, exceptions will generally need to be made or these devices moved to other networks. * Identify all routers for the network. This is often just two routers&mdash;or layer 3 switches&mdash;running HSRP or VRRP between them. * Confirm the source address filtering capabilities of the routers for the network, and determine the appropriate commands. This could be a one-line command to enable verification, or require a LAN-specific access list. * Establish a baseline of CPU utilization for the routers on the network, as well as TCAM utilization. * Deploy source address verification using the commands determined above&mdash;either using the single verification command, or as an access list applied inbound on the interface facing the user desktops/laptops/phones. * Check CPU and TCAM utilization, as well as the device logs for any packets that were denied. The exact commands will differ per hardware platform. ====Connections to your ISPs - major connections - outbound access list method==== These connections are the circuits to your Internet Service Providers. It's assumed that you have multiple connections&mdash;with some shared among multiple locations&mdash;and having an identical access list at all of your connections to the Internet is preferred for ease of deployment. An identical access list can also minimize changes should your underlying topology change or be consolidated. This plan may be used when it is not feasible to check packets received on interfaces that face your internal infrastructure. Suggested deployment plan: * Establish a list of all Internet-routable networks you are advertising via BGP and all networks statically routed to your network from your ISP. This is generally address space you obtained from a Internet registry like ARIN, RIPE, APNIC, AfriNIC, or LACNIC, or address space delegated to you from your ISP(s). * Create an access list that permits packets containing these addresses as sources. The access list should end with a "deny" statement that logs exceptions, but the logging may be omitted if hardware limitations is a concern. * Establish a baseline of CPU utilization for your router that is connected to your ISP(s), as well as TCAM utilization. * Deploy the access list and apply it as an outbound access list on the interface(s) facing your ISP(s). * Check CPU and TCAM utilization, as well as the device logs for any packets that were denied. The exact commands will differ per hardware platform. ====Connections to your ISPs - major connections - inbound access list or RPF command==== This is an alternate way to check the source addresses of packets sent to your ISP(s) but could require more steps to deploy in large organizations or those with more connections to internal infrastructure. In this plan source address checking occurs when packets enter the router that has connections to your ISP(s) such that outbound checking is not needed. Each of the interfaces facing your internal infrastructure, if you have more than one, must have this enabled or there is still the potential to emit packets with spoofed source addresses. Checking the source addresses via another method downstream&mdash;like on a firewall off the interface&mdash;can plug such a gap. Suggested deployment plan: * Establish a list of all Internet-routable networks that could appear as source addresses in packets from each interface. Consider disaster recovery, planned maintenance, and unplanned outage scenarios, and any address space that is used for internal-to-internal connectivity via the router out another non-ISP-facing interface. (If such address space is not Internet-routable and delegated to you this is very likely a gap in your source address checking, and, if not checked elsewhere, could result in packets with invalid addresses reaching your ISP(s).) * If the list of addresses contains any addresses that your router will not permit using a single verification command, then you need to use an inbound access list for that interface. If using an access list, the last line should deny any packets that are not permitted, preferably logging them. * Establish a baseline of CPU utilization for your router that is connected to your ISP(s), as well as TCAM utilization. * If using an access list for the interface, deploy the access list and apply it as an inbound access list on the interface facing your internal infrastructure. * If using a single verification command, deploy it on the interface facing your internal infrastructure. * Check CPU and TCAM utilization, as well as the device logs for any packets that were denied. The exact commands will differ per hardware platform. ====Connections to extranet partners==== While BCP38 is primarily concerned with spoofed source addresses on the Internet, source address verification is also suggested for private links to your suppliers, partners, or customers. Deployment plans for these connections are very similar to the steps for ISP connections, but can use RFC1918 or other mutually-agreed private address space. See the two sections on ISPs above and adjust as needed for your topology. ====Firewalls==== A deployment plan for firewalls is heavily dependent on the firewall vendor as well as the number of interfaces in use on the firewall, and, of course, your internal network topology. Also, because firewalls often front networks containing a valid usage of RFC1918 addressing or perform NAT that changes the addresses of a packet, the concept of a "valid" address is not always clear. Further verification closer to your ISP connection(s) (or any private connection(s)) may be required. General steps if verification is not enabled by default, orientated for Cisco firewalls using static routing: * Establish a list of all addresses that could validly appear as source addresses in packets from each internal interface of the firewall. Consider disaster recovery, planned maintenance, unplanned outage scenarios, addresses in use behind load balancers, and any address space that is used for internal-to-internal connectivity via the firewall out another internal interface. It's possible and even likely that you will find address space that is not Internet-routable or not delegated to you. * Create a list of static routes that are needed to match the list of addresses, with next hops out the appropriate interface. You may find that none are needed, or that you need to adjust some, or that more-specific routes are needed. * For further safety, check the logs to confirm all connections through the firewall have source addresses that you considered, and that they are actually coming in the interface you expect. ''Cisco firewalls will use the xlate table before the routing table, so a correct static route is no guarantee that connections with not work via an unexpected interface.'' "show xlate detail" will provide a point-in-time snapshot of addresses seen on interfaces. * If the list of addresses contains any addresses that the firewall will not permit using a single verification command, then you need to use an inbound access list for that interface. If using an access list, the last line should deny any packets that are not permitted, preferably logging them. * Establish a baseline of CPU utilization, connection counts, denied connection counts, and any other gauge of system performance that is applicable for your firewall. Confirm that you have access to the firewall logs&mdash;preferably not via the firewall you will soon enable source verification on. * If using an access list for the interface, deploy the access list and apply as an inbound access list on the interface facing your internal infrastructure. * If using a single verification command, deploy it on the interface facing your internal infrastructure. * Check the CPU utilization, connection counts, denied connection counts, other system performance gauges gathered earlier, and especially the firewall log. Cisco firewalls will immediately log any packet drops due to failed verification. === What Does It Cost Me? === e7a7c0dbd714d2c85c3fded2624ea43718912063 159 158 2014-02-19T19:23:41Z Carrollr 33 /* What Does It Mean To Me? */ === What is BCP38? === BCP38 is a Best Current Practice published by the IETF which outlines methods useful in filtering out packets which are injected with a spoofed source address into a network. BCP was ratified in May 2000. === What Does It Mean To Me? === Due to the ever-growing frequency and size of DDoS attacks directed towards enterprise customers, BCP38 is becoming a critical tool in helping mitigate DDoS. What it means to the enterprise is two fold: : Having an Internet Service Provider who is BCP38 compliant can help drop traffic if you come under DDoS attack. : Being BCP38 compliant can stop your devices participating in a DDoS Overall, implementing BCP38 will make the Internet a better place for all users, not just your network. === How Do I Tell If I Have It Already? === === How Does Having It Affect Me? === === How Does ''Not'' Having It Affect Me? === === How Do I Set It Up? === === What Does It Cost Me? === ed42aa31ff8abe1cfa2f2b71c587c0a5bb5a6d86 158 46 2014-02-19T18:48:15Z Carrollr 33 /* What is BCP38? */ === What is BCP38? === BCP38 is a Best Current Practice published by the IETF which outlines methods useful in filtering out packets which are injected with a spoofed source address into a network. BCP was ratified in May 2000. === What Does It Mean To Me? === === How Do I Tell If I Have It Already? === === How Does Having It Affect Me? === === How Does ''Not'' Having It Affect Me? === === How Do I Set It Up? === === What Does It Cost Me? === 6891f11548e313ed50800f3c873ed944698981a6 46 2013-03-31T15:11:02Z Baylink 4 Created page with "=== What is BCP38? === === What Does It Mean To Me? === === How Do I Tell If I Have It Already? === === How Does Having It Affect Me? === === How Does ''Not'' Having It Af..." === What is BCP38? === === What Does It Mean To Me? === === How Do I Tell If I Have It Already? === === How Does Having It Affect Me? === === How Does ''Not'' Having It Affect Me? === === How Do I Set It Up? === === What Does It Cost Me? === 2c2afe78d8dc33f99214093305c22d0e803ce441 0 46 153 152 2014-01-26T00:54:21Z Baylink 4 tyop This page is a bit shorter than the others. [ The following is a personal opinion, and not necessarily the opinion of the staff and management of bcp38.info. ] If you manufacture edge concentrator equipment of any type or size -- DSLAMs, CMTSs, Resnet Switches, etc -- with any transport mechanism that hands out IP addresses, but does not implement strict unicast-rpf at port speed by default (with the option to disable it per port when necessary), then you're really just an Accessory Before to these DOS attacks. You '''know''' which IP is valid on each port. And you've had over a decade. And you should expect that someone will eventually eat your lunch. 9b246edff12b4e7db8ffaefa0b1b2cad25131b29 152 2014-01-26T00:53:49Z Baylink 4 Scabrously opinionated first cut. This page is a bit shorter than the others. [ The following is a personal opinion, and not necessarily the opinion of the staff and management of bcp38.info. ] If you mamufacture edge concentrator equipment of any type or size -- DSLAMs, CMTSs, Resnet Switches, etc -- with any transport mechanism that hands out IP addresses, but does not implement strict unicast-rpf at port speed by default (with the option to disable it per port when necessary), then you're really just an Accessory Before to these DOS attacks. You '''know''' which IP is valid on each port. And you've had over a decade. And you should expect that someone will eventually eat your lunch. b232c8d0685f2165b798161ec1d1bc6be93deb69 0 20 44 2013-03-31T14:43:17Z Baylink 4 Created page with "=== What is BCP38? === === What Does It Mean To Me? === === How Do I Tell If I Have It Already? === === How Does Having It Affect Me? === === How Does ''Not'' Having It Af..." === What is BCP38? === === What Does It Mean To Me? === === How Do I Tell If I Have It Already? === === How Does Having It Affect Me? === === How Does ''Not'' Having It Affect Me? === === How Do I Set It Up? === === What Does It Cost Me? === 2c2afe78d8dc33f99214093305c22d0e803ce441 0 19 192 171 2016-11-21T01:26:54Z David Corlette 46 Corrected HOW TOs link This page explains [[Main Page|BCP38]] to small businesses, people who have a single internet connection, a consumer or small business router/firewall (Cisco/Linksys, Belkin, SnapGear/WatchGuard, ZyXel, SMC, or those bright red things with the most confusing UI in the universe whose name I have happily forgotten), and a LAN full of PCs and other Internet capable devices. If you have a larger network, or multiple uplnk connections, see the Main Page for links to pages which discuss BCP38 in those contexts. === What is BCP38? === BCP38 is a practice for making it harder for people to attack the Internet and servers and websites you connect to over it; it's a way for ISPs to set up their equipment so that end-user computers -- like yours -- cannot send traffic through it with forged return addresses. This is important because this sort of forged traffic is often used for this type of attack, and if the return addresses are forged, then the person being attacked (and their network provider, in turn) cannot determine whom to contact to report the attack, so that it can be shut down. Just as importantly: if a computer in your office gets infected by malware, then your provider can inform you that you're sending forged attack traffic '''if''' they implement BCP38, so that you can get it fixed. If they don't, you might never know. === What Does It Mean To Me? === For small businesses, mostly what it means to you is that it keeps your computer from contributing to such an attack if it is infected by '[[malware]]', and possibly made part of a '[[botnet]]' -- which could have legal liability implications to you; if such a malicious program somehow finds its way onto your computer and is told to launch such an attack, it's possible you or your company could be held civilly or criminally liable for such attacking. If you or your ISP implement BCP38, the traffic it sends out will either be blocked because it has forged return addresses, or will at least be traceable, so that you can be notified, and take steps to remove the bad programs from your PC, which may protect you from some such liability. === How Do I Tell If I Have It Already? === There are several research [[projects]] which provide software that you can run which will tell you if your ISP has already implemented BCP38 or not. Some of these provide simple yes/no answers, while others do a bit more testing, and provide more comprehensive results. === How Does Having It Affect Me? === BCP38 filtering will generally have the same effect on small businesses that it has on end-user and home office computers: none. You shouldn't ever even notice if your ISP has enabled BCP38; it has no effect whatever on normal, valid internet traffic. There are no known business applications that depend on source-address forging to work, and if you know of one, you should publicize that fact, because it's horrifically poor design. === How Does ''Not'' Having It Affect Me? === If your ISP does ''not'' presently implement BCP38, then they are contributing to bad weather on the Internet; some of the [[sample attacks|attacks]] and types of attacks which BCP38 prevents can cause insanely large traffic flows all to converge at one spot on the Internet; an attack in March 2013 caused 300 ''gigabits per second'' of attack traffic to one site. That's '''two thousand times''' the fastest Verizon FiOS connection you can get; the attack likely came from over 100,000 individual infected PCs, or more. Think of BCP38 as being like the law that forbids you to get out of your running car in a parking lot and leave it there while you go in a store: if someone walks up and drives off in it, and hits a bunch of people, *you* are responsible. While at the moment, the responsibility for the attacks BCP38 can prevent is moral, rather than legal, we never know what might change in the future. BCP38: Ask For It By Name. :-) (In practice, if you call your cable or DSL ISP today and ask if they implement BCP38, your odds of getting someone who knows what that means are about 1:1000. That's what we're trying to change. If a million people this year do it... it will.) In the case of small businesses, there is an advantage to making sure the router/firewall you have installed *itself* implements BCP38-style source-address filtering. While this is [[egress filtering]], rather than the [[ingress filtering]] which the BCP mandates, it can still be useful in making sure your business isn't contributing to Internet attacks, in case a PC inside your business gets infected with malware. As long as your router DOES NOT implement "Universal Plug and Play" -- this is a protocol which allows PCs inside a network to reconfigure the router in a semi-automated manner -- and has a non-factory-default password set, the odds are that any egress filtering you set on it to drop such '[[martian]]' packets will stick, and be helpful. === How Do I Set It Up? === In general, you don't have to. If you're a small business, implementing BCP38 is the responsibility of your ISP, be they dialup, cablemodem, DSL, or 'fiber'. The faster your connection, the more important it is. As noted above, while any filtering your in-house router/firewall will apply will be egress filtering, that doesn't make it useless, by any means. Instructions on how to set up such egress filtering will be accumulated in [[How To's]]. === What Does It Cost Me? === In general, the time to set up egress filtering on your router, if you need to do anything at all to do so, will range between a couple of minutes, and less than an hour. There is no real maintenance, so the recurring cost is effectively zero as well. 38b388680e0f3764a47df860359e7c1fcb104974 171 170 2014-10-16T17:45:16Z Baylink 4 /* How Do I Set It Up? */ This page explains [[Main Page|BCP38]] to small businesses, people who have a single internet connection, a consumer or small business router/firewall (Cisco/Linksys, Belkin, SnapGear/WatchGuard, ZyXel, SMC, or those bright red things with the most confusing UI in the universe whose name I have happily forgotten), and a LAN full of PCs and other Internet capable devices. If you have a larger network, or multiple uplnk connections, see the Main Page for links to pages which discuss BCP38 in those contexts. === What is BCP38? === BCP38 is a practice for making it harder for people to attack the Internet and servers and websites you connect to over it; it's a way for ISPs to set up their equipment so that end-user computers -- like yours -- cannot send traffic through it with forged return addresses. This is important because this sort of forged traffic is often used for this type of attack, and if the return addresses are forged, then the person being attacked (and their network provider, in turn) cannot determine whom to contact to report the attack, so that it can be shut down. Just as importantly: if a computer in your office gets infected by malware, then your provider can inform you that you're sending forged attack traffic '''if''' they implement BCP38, so that you can get it fixed. If they don't, you might never know. === What Does It Mean To Me? === For small businesses, mostly what it means to you is that it keeps your computer from contributing to such an attack if it is infected by '[[malware]]', and possibly made part of a '[[botnet]]' -- which could have legal liability implications to you; if such a malicious program somehow finds its way onto your computer and is told to launch such an attack, it's possible you or your company could be held civilly or criminally liable for such attacking. If you or your ISP implement BCP38, the traffic it sends out will either be blocked because it has forged return addresses, or will at least be traceable, so that you can be notified, and take steps to remove the bad programs from your PC, which may protect you from some such liability. === How Do I Tell If I Have It Already? === There are several research [[projects]] which provide software that you can run which will tell you if your ISP has already implemented BCP38 or not. Some of these provide simple yes/no answers, while others do a bit more testing, and provide more comprehensive results. === How Does Having It Affect Me? === BCP38 filtering will generally have the same effect on small businesses that it has on end-user and home office computers: none. You shouldn't ever even notice if your ISP has enabled BCP38; it has no effect whatever on normal, valid internet traffic. There are no known business applications that depend on source-address forging to work, and if you know of one, you should publicize that fact, because it's horrifically poor design. === How Does ''Not'' Having It Affect Me? === If your ISP does ''not'' presently implement BCP38, then they are contributing to bad weather on the Internet; some of the [[sample attacks|attacks]] and types of attacks which BCP38 prevents can cause insanely large traffic flows all to converge at one spot on the Internet; an attack in March 2013 caused 300 ''gigabits per second'' of attack traffic to one site. That's '''two thousand times''' the fastest Verizon FiOS connection you can get; the attack likely came from over 100,000 individual infected PCs, or more. Think of BCP38 as being like the law that forbids you to get out of your running car in a parking lot and leave it there while you go in a store: if someone walks up and drives off in it, and hits a bunch of people, *you* are responsible. While at the moment, the responsibility for the attacks BCP38 can prevent is moral, rather than legal, we never know what might change in the future. BCP38: Ask For It By Name. :-) (In practice, if you call your cable or DSL ISP today and ask if they implement BCP38, your odds of getting someone who knows what that means are about 1:1000. That's what we're trying to change. If a million people this year do it... it will.) In the case of small businesses, there is an advantage to making sure the router/firewall you have installed *itself* implements BCP38-style source-address filtering. While this is [[egress filtering]], rather than the [[ingress filtering]] which the BCP mandates, it can still be useful in making sure your business isn't contributing to Internet attacks, in case a PC inside your business gets infected with malware. As long as your router DOES NOT implement "Universal Plug and Play" -- this is a protocol which allows PCs inside a network to reconfigure the router in a semi-automated manner -- and has a non-factory-default password set, the odds are that any egress filtering you set on it to drop such '[[martian]]' packets will stick, and be helpful. === How Do I Set It Up? === In general, you don't have to. If you're a small business, implementing BCP38 is the responsibility of your ISP, be they dialup, cablemodem, DSL, or 'fiber'. The faster your connection, the more important it is. As noted above, while any filtering your in-house router/firewall will apply will be egress filtering, that doesn't make it useless, by any means. Instructions on how to set up such egress filtering will be accumulated in [[:Category:HOWTO|the HOWTO category on this wiki]]. === What Does It Cost Me? === In general, the time to set up egress filtering on your router, if you need to do anything at all to do so, will range between a couple of minutes, and less than an hour. There is no real maintenance, so the recurring cost is effectively zero as well. ee1499a6680283b77532df56b2818e72d9079be8 170 169 2014-10-16T17:44:53Z Baylink 4 /* How Do I Set It Up? */ This page explains [[Main Page|BCP38]] to small businesses, people who have a single internet connection, a consumer or small business router/firewall (Cisco/Linksys, Belkin, SnapGear/WatchGuard, ZyXel, SMC, or those bright red things with the most confusing UI in the universe whose name I have happily forgotten), and a LAN full of PCs and other Internet capable devices. If you have a larger network, or multiple uplnk connections, see the Main Page for links to pages which discuss BCP38 in those contexts. === What is BCP38? === BCP38 is a practice for making it harder for people to attack the Internet and servers and websites you connect to over it; it's a way for ISPs to set up their equipment so that end-user computers -- like yours -- cannot send traffic through it with forged return addresses. This is important because this sort of forged traffic is often used for this type of attack, and if the return addresses are forged, then the person being attacked (and their network provider, in turn) cannot determine whom to contact to report the attack, so that it can be shut down. Just as importantly: if a computer in your office gets infected by malware, then your provider can inform you that you're sending forged attack traffic '''if''' they implement BCP38, so that you can get it fixed. If they don't, you might never know. === What Does It Mean To Me? === For small businesses, mostly what it means to you is that it keeps your computer from contributing to such an attack if it is infected by '[[malware]]', and possibly made part of a '[[botnet]]' -- which could have legal liability implications to you; if such a malicious program somehow finds its way onto your computer and is told to launch such an attack, it's possible you or your company could be held civilly or criminally liable for such attacking. If you or your ISP implement BCP38, the traffic it sends out will either be blocked because it has forged return addresses, or will at least be traceable, so that you can be notified, and take steps to remove the bad programs from your PC, which may protect you from some such liability. === How Do I Tell If I Have It Already? === There are several research [[projects]] which provide software that you can run which will tell you if your ISP has already implemented BCP38 or not. Some of these provide simple yes/no answers, while others do a bit more testing, and provide more comprehensive results. === How Does Having It Affect Me? === BCP38 filtering will generally have the same effect on small businesses that it has on end-user and home office computers: none. You shouldn't ever even notice if your ISP has enabled BCP38; it has no effect whatever on normal, valid internet traffic. There are no known business applications that depend on source-address forging to work, and if you know of one, you should publicize that fact, because it's horrifically poor design. === How Does ''Not'' Having It Affect Me? === If your ISP does ''not'' presently implement BCP38, then they are contributing to bad weather on the Internet; some of the [[sample attacks|attacks]] and types of attacks which BCP38 prevents can cause insanely large traffic flows all to converge at one spot on the Internet; an attack in March 2013 caused 300 ''gigabits per second'' of attack traffic to one site. That's '''two thousand times''' the fastest Verizon FiOS connection you can get; the attack likely came from over 100,000 individual infected PCs, or more. Think of BCP38 as being like the law that forbids you to get out of your running car in a parking lot and leave it there while you go in a store: if someone walks up and drives off in it, and hits a bunch of people, *you* are responsible. While at the moment, the responsibility for the attacks BCP38 can prevent is moral, rather than legal, we never know what might change in the future. BCP38: Ask For It By Name. :-) (In practice, if you call your cable or DSL ISP today and ask if they implement BCP38, your odds of getting someone who knows what that means are about 1:1000. That's what we're trying to change. If a million people this year do it... it will.) In the case of small businesses, there is an advantage to making sure the router/firewall you have installed *itself* implements BCP38-style source-address filtering. While this is [[egress filtering]], rather than the [[ingress filtering]] which the BCP mandates, it can still be useful in making sure your business isn't contributing to Internet attacks, in case a PC inside your business gets infected with malware. As long as your router DOES NOT implement "Universal Plug and Play" -- this is a protocol which allows PCs inside a network to reconfigure the router in a semi-automated manner -- and has a non-factory-default password set, the odds are that any egress filtering you set on it to drop such '[[martian]]' packets will stick, and be helpful. === How Do I Set It Up? === In general, you don't have to. If you're a small business, implementing BCP38 is the responsibility of your ISP, be they dialup, cablemodem, DSL, or 'fiber'. The faster your connection, the more important it is. As noted above, while any filtering your in-house router/firewall will apply will be egress filtering, that doesn't make it useless, by any means. Instructions on how to set up such egress filtering will be accumulated in [[Category:HOWTO|the HOWTO category on this wiki]]. === What Does It Cost Me? === In general, the time to set up egress filtering on your router, if you need to do anything at all to do so, will range between a couple of minutes, and less than an hour. There is no real maintenance, so the recurring cost is effectively zero as well. d97e15d8349e269dcb3a8d1a2d7a2d758204084c 169 168 2014-10-16T17:44:28Z Baylink 4 /* How Do I Set It Up? */ This page explains [[Main Page|BCP38]] to small businesses, people who have a single internet connection, a consumer or small business router/firewall (Cisco/Linksys, Belkin, SnapGear/WatchGuard, ZyXel, SMC, or those bright red things with the most confusing UI in the universe whose name I have happily forgotten), and a LAN full of PCs and other Internet capable devices. If you have a larger network, or multiple uplnk connections, see the Main Page for links to pages which discuss BCP38 in those contexts. === What is BCP38? === BCP38 is a practice for making it harder for people to attack the Internet and servers and websites you connect to over it; it's a way for ISPs to set up their equipment so that end-user computers -- like yours -- cannot send traffic through it with forged return addresses. This is important because this sort of forged traffic is often used for this type of attack, and if the return addresses are forged, then the person being attacked (and their network provider, in turn) cannot determine whom to contact to report the attack, so that it can be shut down. Just as importantly: if a computer in your office gets infected by malware, then your provider can inform you that you're sending forged attack traffic '''if''' they implement BCP38, so that you can get it fixed. If they don't, you might never know. === What Does It Mean To Me? === For small businesses, mostly what it means to you is that it keeps your computer from contributing to such an attack if it is infected by '[[malware]]', and possibly made part of a '[[botnet]]' -- which could have legal liability implications to you; if such a malicious program somehow finds its way onto your computer and is told to launch such an attack, it's possible you or your company could be held civilly or criminally liable for such attacking. If you or your ISP implement BCP38, the traffic it sends out will either be blocked because it has forged return addresses, or will at least be traceable, so that you can be notified, and take steps to remove the bad programs from your PC, which may protect you from some such liability. === How Do I Tell If I Have It Already? === There are several research [[projects]] which provide software that you can run which will tell you if your ISP has already implemented BCP38 or not. Some of these provide simple yes/no answers, while others do a bit more testing, and provide more comprehensive results. === How Does Having It Affect Me? === BCP38 filtering will generally have the same effect on small businesses that it has on end-user and home office computers: none. You shouldn't ever even notice if your ISP has enabled BCP38; it has no effect whatever on normal, valid internet traffic. There are no known business applications that depend on source-address forging to work, and if you know of one, you should publicize that fact, because it's horrifically poor design. === How Does ''Not'' Having It Affect Me? === If your ISP does ''not'' presently implement BCP38, then they are contributing to bad weather on the Internet; some of the [[sample attacks|attacks]] and types of attacks which BCP38 prevents can cause insanely large traffic flows all to converge at one spot on the Internet; an attack in March 2013 caused 300 ''gigabits per second'' of attack traffic to one site. That's '''two thousand times''' the fastest Verizon FiOS connection you can get; the attack likely came from over 100,000 individual infected PCs, or more. Think of BCP38 as being like the law that forbids you to get out of your running car in a parking lot and leave it there while you go in a store: if someone walks up and drives off in it, and hits a bunch of people, *you* are responsible. While at the moment, the responsibility for the attacks BCP38 can prevent is moral, rather than legal, we never know what might change in the future. BCP38: Ask For It By Name. :-) (In practice, if you call your cable or DSL ISP today and ask if they implement BCP38, your odds of getting someone who knows what that means are about 1:1000. That's what we're trying to change. If a million people this year do it... it will.) In the case of small businesses, there is an advantage to making sure the router/firewall you have installed *itself* implements BCP38-style source-address filtering. While this is [[egress filtering]], rather than the [[ingress filtering]] which the BCP mandates, it can still be useful in making sure your business isn't contributing to Internet attacks, in case a PC inside your business gets infected with malware. As long as your router DOES NOT implement "Universal Plug and Play" -- this is a protocol which allows PCs inside a network to reconfigure the router in a semi-automated manner -- and has a non-factory-default password set, the odds are that any egress filtering you set on it to drop such '[[martian]]' packets will stick, and be helpful. === How Do I Set It Up? === In general, you don't have to. If you're a small business, implementing BCP38 is the responsibility of your ISP, be they dialup, cablemodem, DSL, or 'fiber'. The faster your connection, the more important it is. As noted above, while any filtering your in-house router/firewall will apply will be egress filtering, that doesn't make it useless, by any means. Instructions on how to set up such egress filtering will be accumulated in [[the HOWTO category on this wiki|Category:HOWTO]]. === What Does It Cost Me? === In general, the time to set up egress filtering on your router, if you need to do anything at all to do so, will range between a couple of minutes, and less than an hour. There is no real maintenance, so the recurring cost is effectively zero as well. 00a46e73608eb5bd23c1449e14f7e1737b422ba6 168 166 2014-10-16T17:44:00Z Baylink 4 /* How Do I Set It Up? */ This page explains [[Main Page|BCP38]] to small businesses, people who have a single internet connection, a consumer or small business router/firewall (Cisco/Linksys, Belkin, SnapGear/WatchGuard, ZyXel, SMC, or those bright red things with the most confusing UI in the universe whose name I have happily forgotten), and a LAN full of PCs and other Internet capable devices. If you have a larger network, or multiple uplnk connections, see the Main Page for links to pages which discuss BCP38 in those contexts. === What is BCP38? === BCP38 is a practice for making it harder for people to attack the Internet and servers and websites you connect to over it; it's a way for ISPs to set up their equipment so that end-user computers -- like yours -- cannot send traffic through it with forged return addresses. This is important because this sort of forged traffic is often used for this type of attack, and if the return addresses are forged, then the person being attacked (and their network provider, in turn) cannot determine whom to contact to report the attack, so that it can be shut down. Just as importantly: if a computer in your office gets infected by malware, then your provider can inform you that you're sending forged attack traffic '''if''' they implement BCP38, so that you can get it fixed. If they don't, you might never know. === What Does It Mean To Me? === For small businesses, mostly what it means to you is that it keeps your computer from contributing to such an attack if it is infected by '[[malware]]', and possibly made part of a '[[botnet]]' -- which could have legal liability implications to you; if such a malicious program somehow finds its way onto your computer and is told to launch such an attack, it's possible you or your company could be held civilly or criminally liable for such attacking. If you or your ISP implement BCP38, the traffic it sends out will either be blocked because it has forged return addresses, or will at least be traceable, so that you can be notified, and take steps to remove the bad programs from your PC, which may protect you from some such liability. === How Do I Tell If I Have It Already? === There are several research [[projects]] which provide software that you can run which will tell you if your ISP has already implemented BCP38 or not. Some of these provide simple yes/no answers, while others do a bit more testing, and provide more comprehensive results. === How Does Having It Affect Me? === BCP38 filtering will generally have the same effect on small businesses that it has on end-user and home office computers: none. You shouldn't ever even notice if your ISP has enabled BCP38; it has no effect whatever on normal, valid internet traffic. There are no known business applications that depend on source-address forging to work, and if you know of one, you should publicize that fact, because it's horrifically poor design. === How Does ''Not'' Having It Affect Me? === If your ISP does ''not'' presently implement BCP38, then they are contributing to bad weather on the Internet; some of the [[sample attacks|attacks]] and types of attacks which BCP38 prevents can cause insanely large traffic flows all to converge at one spot on the Internet; an attack in March 2013 caused 300 ''gigabits per second'' of attack traffic to one site. That's '''two thousand times''' the fastest Verizon FiOS connection you can get; the attack likely came from over 100,000 individual infected PCs, or more. Think of BCP38 as being like the law that forbids you to get out of your running car in a parking lot and leave it there while you go in a store: if someone walks up and drives off in it, and hits a bunch of people, *you* are responsible. While at the moment, the responsibility for the attacks BCP38 can prevent is moral, rather than legal, we never know what might change in the future. BCP38: Ask For It By Name. :-) (In practice, if you call your cable or DSL ISP today and ask if they implement BCP38, your odds of getting someone who knows what that means are about 1:1000. That's what we're trying to change. If a million people this year do it... it will.) In the case of small businesses, there is an advantage to making sure the router/firewall you have installed *itself* implements BCP38-style source-address filtering. While this is [[egress filtering]], rather than the [[ingress filtering]] which the BCP mandates, it can still be useful in making sure your business isn't contributing to Internet attacks, in case a PC inside your business gets infected with malware. As long as your router DOES NOT implement "Universal Plug and Play" -- this is a protocol which allows PCs inside a network to reconfigure the router in a semi-automated manner -- and has a non-factory-default password set, the odds are that any egress filtering you set on it to drop such '[[martian]]' packets will stick, and be helpful. === How Do I Set It Up? === In general, you don't have to. If you're a small business, implementing BCP38 is the responsibility of your ISP, be they dialup, cablemodem, DSL, or 'fiber'. The faster your connection, the more important it is. As noted above, while any filtering your in-house router/firewall will apply will be egress filtering, that doesn't make it useless, by any means. Instructions on how to set up such egress filtering will be accumulated in [[Category:HOWTO|The HOWTO Category]]. === What Does It Cost Me? === In general, the time to set up egress filtering on your router, if you need to do anything at all to do so, will range between a couple of minutes, and less than an hour. There is no real maintenance, so the recurring cost is effectively zero as well. 5ba2775e82e66a0ad695d9a13287c90e7003df04 166 165 2014-10-16T17:42:25Z Baylink 4 /* How Does Not Having It Affect Me? */ This page explains [[Main Page|BCP38]] to small businesses, people who have a single internet connection, a consumer or small business router/firewall (Cisco/Linksys, Belkin, SnapGear/WatchGuard, ZyXel, SMC, or those bright red things with the most confusing UI in the universe whose name I have happily forgotten), and a LAN full of PCs and other Internet capable devices. If you have a larger network, or multiple uplnk connections, see the Main Page for links to pages which discuss BCP38 in those contexts. === What is BCP38? === BCP38 is a practice for making it harder for people to attack the Internet and servers and websites you connect to over it; it's a way for ISPs to set up their equipment so that end-user computers -- like yours -- cannot send traffic through it with forged return addresses. This is important because this sort of forged traffic is often used for this type of attack, and if the return addresses are forged, then the person being attacked (and their network provider, in turn) cannot determine whom to contact to report the attack, so that it can be shut down. Just as importantly: if a computer in your office gets infected by malware, then your provider can inform you that you're sending forged attack traffic '''if''' they implement BCP38, so that you can get it fixed. If they don't, you might never know. === What Does It Mean To Me? === For small businesses, mostly what it means to you is that it keeps your computer from contributing to such an attack if it is infected by '[[malware]]', and possibly made part of a '[[botnet]]' -- which could have legal liability implications to you; if such a malicious program somehow finds its way onto your computer and is told to launch such an attack, it's possible you or your company could be held civilly or criminally liable for such attacking. If you or your ISP implement BCP38, the traffic it sends out will either be blocked because it has forged return addresses, or will at least be traceable, so that you can be notified, and take steps to remove the bad programs from your PC, which may protect you from some such liability. === How Do I Tell If I Have It Already? === There are several research [[projects]] which provide software that you can run which will tell you if your ISP has already implemented BCP38 or not. Some of these provide simple yes/no answers, while others do a bit more testing, and provide more comprehensive results. === How Does Having It Affect Me? === BCP38 filtering will generally have the same effect on small businesses that it has on end-user and home office computers: none. You shouldn't ever even notice if your ISP has enabled BCP38; it has no effect whatever on normal, valid internet traffic. There are no known business applications that depend on source-address forging to work, and if you know of one, you should publicize that fact, because it's horrifically poor design. === How Does ''Not'' Having It Affect Me? === If your ISP does ''not'' presently implement BCP38, then they are contributing to bad weather on the Internet; some of the [[sample attacks|attacks]] and types of attacks which BCP38 prevents can cause insanely large traffic flows all to converge at one spot on the Internet; an attack in March 2013 caused 300 ''gigabits per second'' of attack traffic to one site. That's '''two thousand times''' the fastest Verizon FiOS connection you can get; the attack likely came from over 100,000 individual infected PCs, or more. Think of BCP38 as being like the law that forbids you to get out of your running car in a parking lot and leave it there while you go in a store: if someone walks up and drives off in it, and hits a bunch of people, *you* are responsible. While at the moment, the responsibility for the attacks BCP38 can prevent is moral, rather than legal, we never know what might change in the future. BCP38: Ask For It By Name. :-) (In practice, if you call your cable or DSL ISP today and ask if they implement BCP38, your odds of getting someone who knows what that means are about 1:1000. That's what we're trying to change. If a million people this year do it... it will.) In the case of small businesses, there is an advantage to making sure the router/firewall you have installed *itself* implements BCP38-style source-address filtering. While this is [[egress filtering]], rather than the [[ingress filtering]] which the BCP mandates, it can still be useful in making sure your business isn't contributing to Internet attacks, in case a PC inside your business gets infected with malware. As long as your router DOES NOT implement "Universal Plug and Play" -- this is a protocol which allows PCs inside a network to reconfigure the router in a semi-automated manner -- and has a non-factory-default password set, the odds are that any egress filtering you set on it to drop such '[[martian]]' packets will stick, and be helpful. === How Do I Set It Up? === In general, you don't have to. If you're a small business, implementing BCP38 is the responsibility of your ISP, be they dialup, cablemodem, DSL, or 'fiber'. The faster your connection, the more important it is. As noted above, while any filtering your in-house router/firewall will apply will be egress filtering, that doesn't make it useless, by any means. Instructions on how to set up such egress filtering will be accumulated in [[Category:HOWTO]]. === What Does It Cost Me? === In general, the time to set up egress filtering on your router, if you need to do anything at all to do so, will range between a couple of minutes, and less than an hour. There is no real maintenance, so the recurring cost is effectively zero as well. 65062f3c08cfd6237129099a0ac449a63ff7a690 165 162 2014-10-16T17:41:00Z Baylink 4 /* What Does It Mean To Me? */ - clarify This page explains [[Main Page|BCP38]] to small businesses, people who have a single internet connection, a consumer or small business router/firewall (Cisco/Linksys, Belkin, SnapGear/WatchGuard, ZyXel, SMC, or those bright red things with the most confusing UI in the universe whose name I have happily forgotten), and a LAN full of PCs and other Internet capable devices. If you have a larger network, or multiple uplnk connections, see the Main Page for links to pages which discuss BCP38 in those contexts. === What is BCP38? === BCP38 is a practice for making it harder for people to attack the Internet and servers and websites you connect to over it; it's a way for ISPs to set up their equipment so that end-user computers -- like yours -- cannot send traffic through it with forged return addresses. This is important because this sort of forged traffic is often used for this type of attack, and if the return addresses are forged, then the person being attacked (and their network provider, in turn) cannot determine whom to contact to report the attack, so that it can be shut down. Just as importantly: if a computer in your office gets infected by malware, then your provider can inform you that you're sending forged attack traffic '''if''' they implement BCP38, so that you can get it fixed. If they don't, you might never know. === What Does It Mean To Me? === For small businesses, mostly what it means to you is that it keeps your computer from contributing to such an attack if it is infected by '[[malware]]', and possibly made part of a '[[botnet]]' -- which could have legal liability implications to you; if such a malicious program somehow finds its way onto your computer and is told to launch such an attack, it's possible you or your company could be held civilly or criminally liable for such attacking. If you or your ISP implement BCP38, the traffic it sends out will either be blocked because it has forged return addresses, or will at least be traceable, so that you can be notified, and take steps to remove the bad programs from your PC, which may protect you from some such liability. === How Do I Tell If I Have It Already? === There are several research [[projects]] which provide software that you can run which will tell you if your ISP has already implemented BCP38 or not. Some of these provide simple yes/no answers, while others do a bit more testing, and provide more comprehensive results. === How Does Having It Affect Me? === BCP38 filtering will generally have the same effect on small businesses that it has on end-user and home office computers: none. You shouldn't ever even notice if your ISP has enabled BCP38; it has no effect whatever on normal, valid internet traffic. There are no known business applications that depend on source-address forging to work, and if you know of one, you should publicize that fact, because it's horrifically poor design. === How Does ''Not'' Having It Affect Me? === If your ISP does ''not'' presently implement BCP38, then they are contributing to bad weather on the Internet; some of the [[sample attacks|attacks]] and types of attacks which BCP38 prevents can cause insanely large traffic flows all to converge at one spot on the Internet; an attack in March 2013 caused 300 ''gigabits per second'' of attack traffic to one site. That's '''two thousand times''' the fastest Verizon FiOS connection you can get; the attack likely came from over 100,000 individual infected PCs, or more. Think of BCP38 as being like the law that forbids you to get out of your running car in a parking lot and leave it there while you go in a store: if someone walks up and drives off in it, and hits a bunch of people, *you* are responsible. While at the moment, the responsibility for the attacks BCP38 can prevent is moral, rather than legal, we never know what might change in the future. BCP38: Ask For It By Name. :-) (In practice, if you call your cable or DSL ISP today and ask if they implement BCP38, your odds of getting someone who knows what that means are about 1:1000. That's what we're trying to change. If a million people this year do it... it will.) In the case of small businesses, there is an advantage to making sure the router/firewall you have installed *itself* implements BCP38-style source-address filtering. While this is [[egress filtering]], rather than the [[ingress filtering]] which the BCP mandates, it can still be useful in making sure your business isn't contributing to Internet attacks, in case a PC inside your business gets infected with malware. As long as your router DOES NOT implement "Universal Plug and Play" -- this is a protocol which allows PCs inside a network to reconfigure the router in a semi-automated manner -- and has a non-factory-default password set, the odds are that any egress filtering you set on it to drop such 'martian' packets will stick, and be helpful. === How Do I Set It Up? === In general, you don't have to. If you're a small business, implementing BCP38 is the responsibility of your ISP, be they dialup, cablemodem, DSL, or 'fiber'. The faster your connection, the more important it is. As noted above, while any filtering your in-house router/firewall will apply will be egress filtering, that doesn't make it useless, by any means. Instructions on how to set up such egress filtering will be accumulated in [[Category:HOWTO]]. === What Does It Cost Me? === In general, the time to set up egress filtering on your router, if you need to do anything at all to do so, will range between a couple of minutes, and less than an hour. There is no real maintenance, so the recurring cost is effectively zero as well. 38140041664aa3e52236d0fd3d6a7258034541fd 162 157 2014-10-16T17:37:02Z Baylink 4 This page explains [[Main Page|BCP38]] to small businesses, people who have a single internet connection, a consumer or small business router/firewall (Cisco/Linksys, Belkin, SnapGear/WatchGuard, ZyXel, SMC, or those bright red things with the most confusing UI in the universe whose name I have happily forgotten), and a LAN full of PCs and other Internet capable devices. If you have a larger network, or multiple uplnk connections, see the Main Page for links to pages which discuss BCP38 in those contexts. === What is BCP38? === BCP38 is a practice for making it harder for people to attack the Internet and servers and websites you connect to over it; it's a way for ISPs to set up their equipment so that end-user computers -- like yours -- cannot send traffic through it with forged return addresses. This is important because this sort of forged traffic is often used for this type of attack, and if the return addresses are forged, then the person being attacked (and their network provider, in turn) cannot determine whom to contact to report the attack, so that it can be shut down. Just as importantly: if a computer in your office gets infected by malware, then your provider can inform you that you're sending forged attack traffic '''if''' they implement BCP38, so that you can get it fixed. If they don't, you might never know. === What Does It Mean To Me? === For small businesses, mostly what it means to you is that it keeps your computer from contributing to such an attack if it is infected by '[[malware]]', and possibly made part of a '[[botnet]]' -- which could have legal liability implications to you; if such a malicious program somehow finds its way onto your computer and is told to launch such an attack, the traffic it sends out will either be blocked because it has forged return addresses, or will at least be traceable, so that you can be notified, and take steps to remove the bad programs from your PC. === How Do I Tell If I Have It Already? === There are several research [[projects]] which provide software that you can run which will tell you if your ISP has already implemented BCP38 or not. Some of these provide simple yes/no answers, while others do a bit more testing, and provide more comprehensive results. === How Does Having It Affect Me? === BCP38 filtering will generally have the same effect on small businesses that it has on end-user and home office computers: none. You shouldn't ever even notice if your ISP has enabled BCP38; it has no effect whatever on normal, valid internet traffic. There are no known business applications that depend on source-address forging to work, and if you know of one, you should publicize that fact, because it's horrifically poor design. === How Does ''Not'' Having It Affect Me? === If your ISP does ''not'' presently implement BCP38, then they are contributing to bad weather on the Internet; some of the [[sample attacks|attacks]] and types of attacks which BCP38 prevents can cause insanely large traffic flows all to converge at one spot on the Internet; an attack in March 2013 caused 300 ''gigabits per second'' of attack traffic to one site. That's '''two thousand times''' the fastest Verizon FiOS connection you can get; the attack likely came from over 100,000 individual infected PCs, or more. Think of BCP38 as being like the law that forbids you to get out of your running car in a parking lot and leave it there while you go in a store: if someone walks up and drives off in it, and hits a bunch of people, *you* are responsible. While at the moment, the responsibility for the attacks BCP38 can prevent is moral, rather than legal, we never know what might change in the future. BCP38: Ask For It By Name. :-) (In practice, if you call your cable or DSL ISP today and ask if they implement BCP38, your odds of getting someone who knows what that means are about 1:1000. That's what we're trying to change. If a million people this year do it... it will.) In the case of small businesses, there is an advantage to making sure the router/firewall you have installed *itself* implements BCP38-style source-address filtering. While this is [[egress filtering]], rather than the [[ingress filtering]] which the BCP mandates, it can still be useful in making sure your business isn't contributing to Internet attacks, in case a PC inside your business gets infected with malware. As long as your router DOES NOT implement "Universal Plug and Play" -- this is a protocol which allows PCs inside a network to reconfigure the router in a semi-automated manner -- and has a non-factory-default password set, the odds are that any egress filtering you set on it to drop such 'martian' packets will stick, and be helpful. === How Do I Set It Up? === In general, you don't have to. If you're a small business, implementing BCP38 is the responsibility of your ISP, be they dialup, cablemodem, DSL, or 'fiber'. The faster your connection, the more important it is. As noted above, while any filtering your in-house router/firewall will apply will be egress filtering, that doesn't make it useless, by any means. Instructions on how to set up such egress filtering will be accumulated in [[Category:HOWTO]]. === What Does It Cost Me? === In general, the time to set up egress filtering on your router, if you need to do anything at all to do so, will range between a couple of minutes, and less than an hour. There is no real maintenance, so the recurring cost is effectively zero as well. 93658f78f16d5ca325e94b5c7ee6518401aa8eb2 157 156 2014-02-18T19:44:02Z Baylink 4 This page explains BCP38 to small businesses, people who have a single internet connection, a consumer or small business router/firewall (Cisco/Linksys, Belkin, SnapGear/WatchGuard, ZyXel, SMC, or those bright red things with the most confusing UI in the universe whose name I have happily forgotten), and a LAN full of PCs and other Internet capable devices. If you have a larger network, or multiple uplnk connections, see the Main Page for links to pages which discuss BCP38 in those contexts. === What is BCP38? === BCP38 is a practice for making it harder for people to attack the Internet and servers and websites you connect to over it; it's a way for ISPs to set up their equipment so that end-user computers -- like yours -- cannot send traffic through it with forged return addresses. This is important because this sort of forged traffic is often used for this type of attack, and if the return addresses are forged, then the person being attacked (and their network provider, in turn) cannot determine whom to contact to report the attack, so that it can be shut down. Just as importantly: if a computer in your office gets infected by malware, then your provider can inform you that you're sending forged attack traffic '''if''' they implement BCP38, so that you can get it fixed. If they don't, you might never know. === What Does It Mean To Me? === For small businesses, mostly what it means to you is that it keeps your computer from contributing to such an attack if it is infected by '[[malware]]', and possibly made part of a '[[botnet]]' -- which could have legal liability implications to you; if such a malicious program somehow finds its way onto your computer and is told to launch such an attack, the traffic it sends out will either be blocked because it has forged return addresses, or will at least be traceable, so that you can be notified, and take steps to remove the bad programs from your PC. === How Do I Tell If I Have It Already? === There are several research [[projects]] which provide software that you can run which will tell you if your ISP has already implemented BCP38 or not. Some of these provide simple yes/no answers, while others do a bit more testing, and provide more comprehensive results. === How Does Having It Affect Me? === BCP38 filtering will generally have the same effect on small businesses that it has on end-user and home office computers: none. You shouldn't ever even notice if your ISP has enabled BCP38; it has no effect whatever on normal, valid internet traffic. There are no known business applications that depend on source-address forging to work, and if you know of one, you should publicize that fact, because it's horrifically poor design. === How Does ''Not'' Having It Affect Me? === If your ISP does ''not'' presently implement BCP38, then they are contributing to bad weather on the Internet; some of the [[sample attacks|attacks]] and types of attacks which BCP38 prevents can cause insanely large traffic flows all to converge at one spot on the Internet; an attack in March 2013 caused 300 ''gigabits per second'' of attack traffic to one site. That's '''two thousand times''' the fastest Verizon FiOS connection you can get; the attack likely came from over 100,000 individual infected PCs, or more. Think of BCP38 as being like the law that forbids you to get out of your running car in a parking lot and leave it there while you go in a store: if someone walks up and drives off in it, and hits a bunch of people, *you* are responsible. While at the moment, the responsibility for the attacks BCP38 can prevent is moral, rather than legal, we never know what might change in the future. BCP38: Ask For It By Name. :-) (In practice, if you call your cable or DSL ISP today and ask if they implement BCP38, your odds of getting someone who knows what that means are about 1:1000. That's what we're trying to change. If a million people this year do it... it will.) In the case of small businesses, there is an advantage to making sure the router/firewall you have installed *itself* implements BCP38-style source-address filtering. While this is [[egress filtering]], rather than the [[ingress filtering]] which the BCP mandates, it can still be useful in making sure your business isn't contributing to Internet attacks, in case a PC inside your business gets infected with malware. As long as your router DOES NOT implement "Universal Plug and Play" -- this is a protocol which allows PCs inside a network to reconfigure the router in a semi-automated manner -- and has a non-factory-default password set, the odds are that any egress filtering you set on it to drop such 'martian' packets will stick, and be helpful. === How Do I Set It Up? === In general, you don't have to. If you're a small business, implementing BCP38 is the responsibility of your ISP, be they dialup, cablemodem, DSL, or 'fiber'. The faster your connection, the more important it is. As noted above, while any filtering your in-house router/firewall will apply will be egress filtering, that doesn't make it useless, by any means. Instructions on how to set up such egress filtering will be accumulated in [[Category:HOWTO]]. === What Does It Cost Me? === In general, the time to set up egress filtering on your router, if you need to do anything at all to do so, will range between a couple of minutes, and less than an hour. There is no real maintenance, so the recurring cost is effectively zero as well. 435568b2ac6413a4d74230c2967690e72e8884da 156 43 2014-02-18T19:43:09Z Baylink 4 First cut, adapted from the soho page This page explains BCP38 to small businesses, people who have a single internet connection, a consumer or small business router/firewall (Cisco/Linksys, Belkin, SnapGear/WatchGuard, ZyXel, SMC, or those bright red things with the most confusing UI in the universe whose name I have happily forgotten). If you have a larger network, or multiple uplnk connections, see the Main Page for links to pages which discuss BCP38 in those contexts. === What is BCP38? === BCP38 is a practice for making it harder for people to attack the Internet and servers and websites you connect to over it; it's a way for ISPs to set up their equipment so that end-user computers -- like yours -- cannot send traffic through it with forged return addresses. This is important because this sort of forged traffic is often used for this type of attack, and if the return addresses are forged, then the person being attacked (and their network provider, in turn) cannot determine whom to contact to report the attack, so that it can be shut down. Just as importantly: if a computer in your office gets infected by malware, then your provider can inform you that you're sending forged attack traffic '''if''' they implement BCP38, so that you can get it fixed. If they don't, you might never know. === What Does It Mean To Me? === For small businesses, mostly what it means to you is that it keeps your computer from contributing to such an attack if it is infected by '[[malware]]', and possibly made part of a '[[botnet]]' -- which could have legal liability implications to you; if such a malicious program somehow finds its way onto your computer and is told to launch such an attack, the traffic it sends out will either be blocked because it has forged return addresses, or will at least be traceable, so that you can be notified, and take steps to remove the bad programs from your PC. === How Do I Tell If I Have It Already? === There are several research [[projects]] which provide software that you can run which will tell you if your ISP has already implemented BCP38 or not. Some of these provide simple yes/no answers, while others do a bit more testing, and provide more comprehensive results. === How Does Having It Affect Me? === BCP38 filtering will generally have the same effect on small businesses that it has on end-user and home office computers: none. You shouldn't ever even notice if your ISP has enabled BCP38; it has no effect whatever on normal, valid internet traffic. There are no known business applications that depend on source-address forging to work, and if you know of one, you should publicize that fact, because it's horrifically poor design. === How Does ''Not'' Having It Affect Me? === If your ISP does ''not'' presently implement BCP38, then they are contributing to bad weather on the Internet; some of the [[sample attacks|attacks]] and types of attacks which BCP38 prevents can cause insanely large traffic flows all to converge at one spot on the Internet; an attack in March 2013 caused 300 ''gigabits per second'' of attack traffic to one site. That's '''two thousand times''' the fastest Verizon FiOS connection you can get; the attack likely came from over 100,000 individual infected PCs, or more. Think of BCP38 as being like the law that forbids you to get out of your running car in a parking lot and leave it there while you go in a store: if someone walks up and drives off in it, and hits a bunch of people, *you* are responsible. While at the moment, the responsibility for the attacks BCP38 can prevent is moral, rather than legal, we never know what might change in the future. BCP38: Ask For It By Name. :-) (In practice, if you call your cable or DSL ISP today and ask if they implement BCP38, your odds of getting someone who knows what that means are about 1:1000. That's what we're trying to change. If a million people this year do it... it will.) In the case of small businesses, there is an advantage to making sure the router/firewall you have installed *itself* implements BCP38-style source-address filtering. While this is [[egress filtering]], rather than the [[ingress filtering]] which the BCP mandates, it can still be useful in making sure your business isn't contributing to Internet attacks, in case a PC inside your business gets infected with malware. As long as your router DOES NOT implement "Universal Plug and Play" -- this is a protocol which allows PCs inside a network to reconfigure the router in a semi-automated manner -- and has a non-factory-default password set, the odds are that any egress filtering you set on it to drop such 'martian' packets will stick, and be helpful. === How Do I Set It Up? === In general, you don't have to. If you're a small business, implementing BCP38 is the responsibility of your ISP, be they dialup, cablemodem, DSL, or 'fiber'. The faster your connection, the more important it is. As noted above, while any filtering your in-house router/firewall will apply will be egress filtering, that doesn't make it useless, by any means. Instructions on how to set up such egress filtering will be accumulated in [[Category:HOWTO]]. === What Does It Cost Me? === In general, the time to set up egress filtering on your router, if you need to do anything at all to do so, will range between a couple of minutes, and less than an hour. There is no real maintenance, so the recurring cost is effectively zero as well. 397e727c652bdf103289187af9226cb437e19267 43 2013-03-31T14:42:29Z Baylink 4 Set up as a template first; then fill in === What is BCP38? === === What Does It Mean To Me? === === How Do I Tell If I Have It Already? === === How Does Having It Affect Me? === === How Does ''Not'' Having It Affect Me? === === How Do I Set It Up? === === What Does It Cost Me? === 2c2afe78d8dc33f99214093305c22d0e803ce441 0 22 53 52 2013-03-31T15:21:18Z Baylink 4 '''Transit providers''' are people who buy connectivity to the Greater Internet, and sell pieces of that to smaller networks, or to end-sites; they are distinguished from 'eyeball' networks largely by scale; eyeball networks may sell some transit to small customers, but are weighted heavily in favor of end-users; households and small businesses which may have 1-50 devices behind a small router, and generally take only one publicly routable IP address. Some 'eyeball network' providers may ''also'' offer transit, for larger clients and enterprise/educational networks; how to handle BCP38 for that business is covered in the appropriate article. === What is BCP38? === === What Does It Mean To Me? === === How Do I Tell If I Have It Already? === === How Does Having It Affect Me? === === How Does ''Not'' Having It Affect Me? === === How Do I Set It Up? === === What Does It Cost Me? === c928358ecfe2f2644f9fe6210175f577746cb40b 52 47 2013-03-31T15:21:07Z Baylink 4 '''Transit providers''' are people who buy connectivity to the Greater Internet, and sell pieces of that to smaller networks, or to end-sites; they are distinguished from 'eyeball' networks largely by scale; eyeball networks may sell some transit to small customers, but are weighted heavily in favor of end-users; households and small businesses which may have 1-50 devices behind a small router, and generally take only one publicly routable IP address. Some 'eyeball network' providers may ''also'' offer transit, for larger clients and enterprise/educational networks; how to handle BCP38 for that business is covered in the appropriate article. === What is BCP38? === === What Does It Mean To Me? === === How Do I Tell If I Have It Already? === === How Does Having It Affect Me? === === How Does ''Not'' Having It Affect Me? === === How Do I Set It Up? === === What Does It Cost Me? === 89a9474efadf23993efce4e20bd838a409b84058 47 2013-03-31T15:11:40Z Baylink 4 Created page with "=== What is BCP38? === === What Does It Mean To Me? === === How Do I Tell If I Have It Already? === === How Does Having It Affect Me? === === How Does ''Not'' Having It Af..." === What is BCP38? === === What Does It Mean To Me? === === How Do I Tell If I Have It Already? === === How Does Having It Affect Me? === === How Does ''Not'' Having It Affect Me? === === How Do I Set It Up? === === What Does It Cost Me? === 2c2afe78d8dc33f99214093305c22d0e803ce441 0 28 78 77 2013-04-04T21:20:25Z Baylink 4 BCP38 is mainly about the use of '''ingress filtering''' to block forged IP packets, that is: filtering applied where packets come into a network, usually one operated by a commercial provider who specializes in that service. Why not block where packets ''leave'' a network -- called '''egress filtering'''? Well, you can do that too, but that is necessarily under the control of the person who operates that machine or network -- and they may be, purposefully or by accident -- the Bad Actor you're trying to protect the Internet ''against''; leaving the filtering up to them guarantees that the actual Bad Guys won't do it. Egress filtering, applied, say, in a [[CPE]] router, can in fact do some good, filtering forged attack packets which might come from a trojan-horse program which a user doesn't know is on his or her computer, but overall, while useful, it is not as important as convincing commercial network providers, both transit and providers to end users -- like Road Runner, Comcast, U-Verse, and the like -- to implement ingress filtering wherever possible. If you operate a large, but still end-user network, as many colleges and larger business enterprises do, you may find it useful to do both: egress filter at your edge routers, ''and'' ingress filter at your incoming connection aggregators, if you can. cebb60e877e87048c2dbd1fe9485c1494275cbbb 77 76 2013-04-04T21:18:45Z Baylink 4 minor thinko BCP38 is mainly about the use of '''ingress filtering''' to block forged IP packets, that is: filtering applied where packets come into a network, usually one operated by a commercial provider who specializes in that service. Why not block where packets ''leave'' a network -- called '''egress filtering'''? Well, you can do that too, but that is necessarily under the control of the person who operates that machine or network -- and they may be, purposefully or by accident -- the Bad Actor you're trying to protect the Internet ''against''; leaving the filtering up to them guarantees that the actual Bad Guys won't do it. Egress filtering, applied, say, in a [[CPE]] router, can in fact do some good, filtering forged attack packets which might come from a trojan-horse program which a user doesn't know is on his or her computer, but overall, while useful, it is not as important as convincing commercial network providers, both transit and providers to end users -- like Road Runner, Comcast, U-Verse, and the like -- to implement ingress filtering wherever possible. 833ca7502e107647b456e90ecbef39e6a2bd8b20 76 2013-04-04T21:18:03Z Baylink 4 Created page with "BCP38 is mainly about the use of '''ingress filtering''' to block forged IP packets, that is: filtering applied where packets come into a network, usually one provided by a co..." BCP38 is mainly about the use of '''ingress filtering''' to block forged IP packets, that is: filtering applied where packets come into a network, usually one provided by a commercial provider who specializes in that service. Why not block where packets ''leave'' a network -- called '''egress filtering'''? Well, you can do that too, but that is necessarily under the control of the person who operates that machine or network -- and they may be, purposefully or by accident -- the Bad Actor you're trying to protect the Internet ''against''; leaving the filtering up to them guarantees that the actual Bad Guys won't do it. Egress filtering, applied, say, in a [[CPE]] router, can in fact do some good, filtering forged attack packets which might come from a trojan-horse program which a user doesn't know is on his or her computer, but overall, while useful, it is not as important as convincing commercial network providers, both transit and providers to end users -- like Road Runner, Comcast, U-Verse, and the like -- to implement ingress filtering wherever possible. df042eebfd3026b9576d932a8c99041af3666600 0 1 191 190 2016-10-21T19:55:47Z Baylink 4 {{Languages}} __NOTOC__ [[File:BCP38_DHCP.png|thumb|right|top|431px|An example of BCP38 implementation in a large DHCP-addressed network]] This is '''BCP38.info'''. What's BCP38? [[BCP]]38 is '''[[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'''. So this site is documentation that explains these attacks, and education that tells network operators how to configure their networks to prevent them. <div style="border: solid 1px; border-color: blue; margin: 1em; padding: 1em; background-color: pink;"> If you found this site because you heard BCP38 mentioned on the 21 Oct Science Friday, welcome! We've tried to make most of the site accessible to less technical people; if there are parts you don't understand, please drop a note to moderator [at] bcp38.info. </div> == What?? == Well, the gritty details are under those links, but in short, these are attacks launched across the Internet to take websites and other services off the air, often utilizing 'bots' on home and business PCs which the owners don't even know are there. A recent example (likely) is a DDoS on the Dyn.com DNS service provider which made a number of very high profile websites based on the east coast of the US inaccessible for much of the morning of 21 October 2016. These can be [https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/ really big attacks]; if enough of them are running at the same time, aimed at strategically significant targets, they could [https://www.schneier.com/blog/archives/2016/09/someone_is_lear.html take down the internet]. No. We're not making this up. Yes, it matters. == How do they get away with that? == DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], are hard enough to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. == Can we fix that? == The solution to this problem, described in [http://tools.ietf.org/html/rfc2827.html RFC2827], which was written some 13 years ago by Paul Ferguson and Daniel Senie, is to block IP packets [[ingress filtering|entering the internet]] which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. Why is that the solution? Well, because at least it gives you a handle on what to drop, and to whom to report the origin of the traffic, neither of which you have when machines are allowed to send packets with source addresses which are not assigned to them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled with manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. == Isn't that complicated? == In general: '''no'''. BCP38 filtering to block these packets is most easily handled right at the very edge of the Internet: where customer links terminate in the first piece of provider 'aggregation' gear, like a router, DSLAM, or CMTS. Much to most of this gear already has a 'knob' which can be turned on, which simply drops these packets on the floor as they come in from the customer's PC. == So why don't people do it? == Many different reasons. Some people don't know they can; some don't know they should; some purposefully think they shouldn't. Some think that it's a 'Tragedy of the Commons' situation. I encourage those people to [http://www.internetsociety.org/deploy360/blog/2014/07/anti-spoofing-bcp-38-and-the-tragedy-of-the-commons/ read this]. '''In almost all cases, for almost all networks, the answer is actually "yes, you should, and no, it's not really hard." We'll cover that in much more detail inside this website.''' <br> <br> <hr> <hr> <br> The purpose of this website is to: * explain in depth why source IP address spoofing happens - why IP packets might arrive at a network with a source address that isn't expected * give some examples of why this might happen legitimately and because of bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. Our goal in setting up BCP38.info is to make clear that there's a problem, explain what the problem is, and ''give you practical advice on what you can do to help solve it''. <div style="border: solid 1px; border-color: blue; margin: 1em; padding: 1em; background-color: lightblue;"> '''At various places in this wiki, you'll find definitions of things which are sometimes subject to some dispute; if you have a major dispute with how something is presented, please let us work it out on the Talk pages, rather than engage in revert wars on actual articles, might we?''' '''This site is a wiki; we encourage those of you who have domain-specific knowledge on how and why BCP38 filtering works to register and contribute it. There are still several major articles that haven't been completed yet, primarily because they pertain to networks larger than mine. :-)'''</div> = Information by Audience = '''End customers''' * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] '''Network Providers''' * [[Information for 'eyeball' networks]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] '''...and the ever popular''' * [[Information for equipment manufacturers]] '''And, finally, some backgrounders''' * [https://queue.acm.org/detail.cfm?id=2578510 Paul Vixie on the Stupid Network] = Other Resources = * [[How To's]] - Collection of articles about identification, configuration and prevention. bffb92d58a2f1d0dd7f233bcb6c9ebdaf5bdcd7d 190 189 2016-10-21T19:53:57Z Baylink 4 /* What?? */ - add in reference to 21 Oct dyn.com attack {{Languages}} __NOTOC__ [[File:BCP38_DHCP.png|thumb|right|top|431px|An example of BCP38 implementation in a large DHCP-addressed network]] This is '''BCP38.info'''. What's BCP38? [[BCP]]38 is '''[[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'''. So this site is documentation that explains these attacks, and education that tells network operators how to configure their networks to prevent them. <div style="border: solid 1px; border-color: blue; margin: 1em; padding: 1em; background-color: pink;"> If you found this site because you heard BCP38 mentioned on the 21 Oct Science Friday, welcome! We've tried to make most of the site accessible to less technical people; if there are parts you don't understand, please ask questions on the wiki's Talk pages! </div> == What?? == Well, the gritty details are under those links, but in short, these are attacks launched across the Internet to take websites and other services off the air, often utilizing 'bots' on home and business PCs which the owners don't even know are there. A recent example (likely) is a DDoS on the Dyn.com DNS service provider which made a number of very high profile websites based on the east coast of the US inaccessible for much of the morning of 21 October 2016. These can be [https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/ really big attacks]; if enough of them are running at the same time, aimed at strategically significant targets, they could [https://www.schneier.com/blog/archives/2016/09/someone_is_lear.html take down the internet]. No. We're not making this up. Yes, it matters. == How do they get away with that? == DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], are hard enough to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. == Can we fix that? == The solution to this problem, described in [http://tools.ietf.org/html/rfc2827.html RFC2827], which was written some 13 years ago by Paul Ferguson and Daniel Senie, is to block IP packets [[ingress filtering|entering the internet]] which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. Why is that the solution? Well, because at least it gives you a handle on what to drop, and to whom to report the origin of the traffic, neither of which you have when machines are allowed to send packets with source addresses which are not assigned to them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled with manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. == Isn't that complicated? == In general: '''no'''. BCP38 filtering to block these packets is most easily handled right at the very edge of the Internet: where customer links terminate in the first piece of provider 'aggregation' gear, like a router, DSLAM, or CMTS. Much to most of this gear already has a 'knob' which can be turned on, which simply drops these packets on the floor as they come in from the customer's PC. == So why don't people do it? == Many different reasons. Some people don't know they can; some don't know they should; some purposefully think they shouldn't. Some think that it's a 'Tragedy of the Commons' situation. I encourage those people to [http://www.internetsociety.org/deploy360/blog/2014/07/anti-spoofing-bcp-38-and-the-tragedy-of-the-commons/ read this]. '''In almost all cases, for almost all networks, the answer is actually "yes, you should, and no, it's not really hard." We'll cover that in much more detail inside this website.''' <br> <br> <hr> <hr> <br> The purpose of this website is to: * explain in depth why source IP address spoofing happens - why IP packets might arrive at a network with a source address that isn't expected * give some examples of why this might happen legitimately and because of bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. Our goal in setting up BCP38.info is to make clear that there's a problem, explain what the problem is, and ''give you practical advice on what you can do to help solve it''. <div style="border: solid 1px; border-color: blue; margin: 1em; padding: 1em; background-color: lightblue;"> '''At various places in this wiki, you'll find definitions of things which are sometimes subject to some dispute; if you have a major dispute with how something is presented, please let us work it out on the Talk pages, rather than engage in revert wars on actual articles, might we?''' '''This site is a wiki; we encourage those of you who have domain-specific knowledge on how and why BCP38 filtering works to register and contribute it. There are still several major articles that haven't been completed yet, primarily because they pertain to networks larger than mine. :-)'''</div> = Information by Audience = '''End customers''' * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] '''Network Providers''' * [[Information for 'eyeball' networks]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] '''...and the ever popular''' * [[Information for equipment manufacturers]] '''And, finally, some backgrounders''' * [https://queue.acm.org/detail.cfm?id=2578510 Paul Vixie on the Stupid Network] = Other Resources = * [[How To's]] - Collection of articles about identification, configuration and prevention. 81818439c77421b5dbb753806627db633828a36a 189 188 2016-10-21T19:51:27Z Baylink 4 Add a welcome-in {{Languages}} __NOTOC__ [[File:BCP38_DHCP.png|thumb|right|top|431px|An example of BCP38 implementation in a large DHCP-addressed network]] This is '''BCP38.info'''. What's BCP38? [[BCP]]38 is '''[[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'''. So this site is documentation that explains these attacks, and education that tells network operators how to configure their networks to prevent them. <div style="border: solid 1px; border-color: blue; margin: 1em; padding: 1em; background-color: pink;"> If you found this site because you heard BCP38 mentioned on the 21 Oct Science Friday, welcome! We've tried to make most of the site accessible to less technical people; if there are parts you don't understand, please ask questions on the wiki's Talk pages! </div> == What?? == Well, the gritty details are under those links, but in short, these are attacks launched across the Internet to take websites and other services off the air, often utilizing 'bots' on home and business PCs which the owners don't even know are there. These can be [https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/ really big attacks]; if enough of them are running at the same time, aimed at strategically significant targets, they could [https://www.schneier.com/blog/archives/2016/09/someone_is_lear.html take down the internet]. No. We're not making this up. Yes, it matters. == How do they get away with that? == DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], are hard enough to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. == Can we fix that? == The solution to this problem, described in [http://tools.ietf.org/html/rfc2827.html RFC2827], which was written some 13 years ago by Paul Ferguson and Daniel Senie, is to block IP packets [[ingress filtering|entering the internet]] which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. Why is that the solution? Well, because at least it gives you a handle on what to drop, and to whom to report the origin of the traffic, neither of which you have when machines are allowed to send packets with source addresses which are not assigned to them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled with manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. == Isn't that complicated? == In general: '''no'''. BCP38 filtering to block these packets is most easily handled right at the very edge of the Internet: where customer links terminate in the first piece of provider 'aggregation' gear, like a router, DSLAM, or CMTS. Much to most of this gear already has a 'knob' which can be turned on, which simply drops these packets on the floor as they come in from the customer's PC. == So why don't people do it? == Many different reasons. Some people don't know they can; some don't know they should; some purposefully think they shouldn't. Some think that it's a 'Tragedy of the Commons' situation. I encourage those people to [http://www.internetsociety.org/deploy360/blog/2014/07/anti-spoofing-bcp-38-and-the-tragedy-of-the-commons/ read this]. '''In almost all cases, for almost all networks, the answer is actually "yes, you should, and no, it's not really hard." We'll cover that in much more detail inside this website.''' <br> <br> <hr> <hr> <br> The purpose of this website is to: * explain in depth why source IP address spoofing happens - why IP packets might arrive at a network with a source address that isn't expected * give some examples of why this might happen legitimately and because of bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. Our goal in setting up BCP38.info is to make clear that there's a problem, explain what the problem is, and ''give you practical advice on what you can do to help solve it''. <div style="border: solid 1px; border-color: blue; margin: 1em; padding: 1em; background-color: lightblue;"> '''At various places in this wiki, you'll find definitions of things which are sometimes subject to some dispute; if you have a major dispute with how something is presented, please let us work it out on the Talk pages, rather than engage in revert wars on actual articles, might we?''' '''This site is a wiki; we encourage those of you who have domain-specific knowledge on how and why BCP38 filtering works to register and contribute it. There are still several major articles that haven't been completed yet, primarily because they pertain to networks larger than mine. :-)'''</div> = Information by Audience = '''End customers''' * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] '''Network Providers''' * [[Information for 'eyeball' networks]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] '''...and the ever popular''' * [[Information for equipment manufacturers]] '''And, finally, some backgrounders''' * [https://queue.acm.org/detail.cfm?id=2578510 Paul Vixie on the Stupid Network] = Other Resources = * [[How To's]] - Collection of articles about identification, configuration and prevention. fddd843067fcb670e3a3aaa76bdfe59e81cd4a63 188 186 2016-09-29T15:10:44Z Baylink 4 /* Can we fix that? */ - expand on why it's the solution {{Languages}} __NOTOC__ [[File:BCP38_DHCP.png|thumb|right|top|431px|An example of BCP38 implementation in a large DHCP-addressed network]] This is '''BCP38.info'''. What's BCP38? [[BCP]]38 is '''[[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'''. So this site is documentation that explains these attacks, and education that tells network operators how to configure their networks to prevent them. == What?? == Well, the gritty details are under those links, but in short, these are attacks launched across the Internet to take websites and other services off the air, often utilizing 'bots' on home and business PCs which the owners don't even know are there. These can be [https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/ really big attacks]; if enough of them are running at the same time, aimed at strategically significant targets, they could [https://www.schneier.com/blog/archives/2016/09/someone_is_lear.html take down the internet]. No. We're not making this up. Yes, it matters. == How do they get away with that? == DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], are hard enough to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. == Can we fix that? == The solution to this problem, described in [http://tools.ietf.org/html/rfc2827.html RFC2827], which was written some 13 years ago by Paul Ferguson and Daniel Senie, is to block IP packets [[ingress filtering|entering the internet]] which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. Why is that the solution? Well, because at least it gives you a handle on what to drop, and to whom to report the origin of the traffic, neither of which you have when machines are allowed to send packets with source addresses which are not assigned to them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled with manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. == Isn't that complicated? == In general: '''no'''. BCP38 filtering to block these packets is most easily handled right at the very edge of the Internet: where customer links terminate in the first piece of provider 'aggregation' gear, like a router, DSLAM, or CMTS. Much to most of this gear already has a 'knob' which can be turned on, which simply drops these packets on the floor as they come in from the customer's PC. == So why don't people do it? == Many different reasons. Some people don't know they can; some don't know they should; some purposefully think they shouldn't. Some think that it's a 'Tragedy of the Commons' situation. I encourage those people to [http://www.internetsociety.org/deploy360/blog/2014/07/anti-spoofing-bcp-38-and-the-tragedy-of-the-commons/ read this]. '''In almost all cases, for almost all networks, the answer is actually "yes, you should, and no, it's not really hard." We'll cover that in much more detail inside this website.''' <br> <br> <hr> <hr> <br> The purpose of this website is to: * explain in depth why source IP address spoofing happens - why IP packets might arrive at a network with a source address that isn't expected * give some examples of why this might happen legitimately and because of bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. Our goal in setting up BCP38.info is to make clear that there's a problem, explain what the problem is, and ''give you practical advice on what you can do to help solve it''. <div style="border: solid 1px; border-color: blue; margin: 1em; padding: 1em; background-color: lightblue;"> '''At various places in this wiki, you'll find definitions of things which are sometimes subject to some dispute; if you have a major dispute with how something is presented, please let us work it out on the Talk pages, rather than engage in revert wars on actual articles, might we?''' '''This site is a wiki; we encourage those of you who have domain-specific knowledge on how and why BCP38 filtering works to register and contribute it. There are still several major articles that haven't been completed yet, primarily because they pertain to networks larger than mine. :-)'''</div> = Information by Audience = '''End customers''' * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] '''Network Providers''' * [[Information for 'eyeball' networks]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] '''...and the ever popular''' * [[Information for equipment manufacturers]] '''And, finally, some backgrounders''' * [https://queue.acm.org/detail.cfm?id=2578510 Paul Vixie on the Stupid Network] = Other Resources = * [[How To's]] - Collection of articles about identification, configuration and prevention. 8e8e7c8aedb9c841ccc693be8c96f70289738913 186 185 2016-09-25T15:05:54Z Baylink 4 /* So why don't people do it? */ {{Languages}} __NOTOC__ [[File:BCP38_DHCP.png|thumb|right|top|431px|An example of BCP38 implementation in a large DHCP-addressed network]] This is '''BCP38.info'''. What's BCP38? [[BCP]]38 is '''[[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'''. So this site is documentation that explains these attacks, and education that tells network operators how to configure their networks to prevent them. == What?? == Well, the gritty details are under those links, but in short, these are attacks launched across the Internet to take websites and other services off the air, often utilizing 'bots' on home and business PCs which the owners don't even know are there. These can be [https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/ really big attacks]; if enough of them are running at the same time, aimed at strategically significant targets, they could [https://www.schneier.com/blog/archives/2016/09/someone_is_lear.html take down the internet]. No. We're not making this up. Yes, it matters. == How do they get away with that? == DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], are hard enough to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. == Can we fix that? == The solution to this problem, described in [http://tools.ietf.org/html/rfc2827.html RFC2827], which was written some 13 years ago by Paul Ferguson and Daniel Senie, is to block IP packets [[ingress filtering|entering the internet]] which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled with manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. == Isn't that complicated? == In general: '''no'''. BCP38 filtering to block these packets is most easily handled right at the very edge of the Internet: where customer links terminate in the first piece of provider 'aggregation' gear, like a router, DSLAM, or CMTS. Much to most of this gear already has a 'knob' which can be turned on, which simply drops these packets on the floor as they come in from the customer's PC. == So why don't people do it? == Many different reasons. Some people don't know they can; some don't know they should; some purposefully think they shouldn't. Some think that it's a 'Tragedy of the Commons' situation. I encourage those people to [http://www.internetsociety.org/deploy360/blog/2014/07/anti-spoofing-bcp-38-and-the-tragedy-of-the-commons/ read this]. '''In almost all cases, for almost all networks, the answer is actually "yes, you should, and no, it's not really hard." We'll cover that in much more detail inside this website.''' <br> <br> <hr> <hr> <br> The purpose of this website is to: * explain in depth why source IP address spoofing happens - why IP packets might arrive at a network with a source address that isn't expected * give some examples of why this might happen legitimately and because of bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. Our goal in setting up BCP38.info is to make clear that there's a problem, explain what the problem is, and ''give you practical advice on what you can do to help solve it''. <div style="border: solid 1px; border-color: blue; margin: 1em; padding: 1em; background-color: lightblue;"> '''At various places in this wiki, you'll find definitions of things which are sometimes subject to some dispute; if you have a major dispute with how something is presented, please let us work it out on the Talk pages, rather than engage in revert wars on actual articles, might we?''' '''This site is a wiki; we encourage those of you who have domain-specific knowledge on how and why BCP38 filtering works to register and contribute it. There are still several major articles that haven't been completed yet, primarily because they pertain to networks larger than mine. :-)'''</div> = Information by Audience = '''End customers''' * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] '''Network Providers''' * [[Information for 'eyeball' networks]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] '''...and the ever popular''' * [[Information for equipment manufacturers]] '''And, finally, some backgrounders''' * [https://queue.acm.org/detail.cfm?id=2578510 Paul Vixie on the Stupid Network] = Other Resources = * [[How To's]] - Collection of articles about identification, configuration and prevention. e2c334ec59fa6829ea48a629cabdc77db913a442 185 184 2016-09-25T14:41:28Z Baylink 4 /* So why don't people do it? */ {{Languages}} __NOTOC__ [[File:BCP38_DHCP.png|thumb|right|top|431px|An example of BCP38 implementation in a large DHCP-addressed network]] This is '''BCP38.info'''. What's BCP38? [[BCP]]38 is '''[[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'''. So this site is documentation that explains these attacks, and education that tells network operators how to configure their networks to prevent them. == What?? == Well, the gritty details are under those links, but in short, these are attacks launched across the Internet to take websites and other services off the air, often utilizing 'bots' on home and business PCs which the owners don't even know are there. These can be [https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/ really big attacks]; if enough of them are running at the same time, aimed at strategically significant targets, they could [https://www.schneier.com/blog/archives/2016/09/someone_is_lear.html take down the internet]. No. We're not making this up. Yes, it matters. == How do they get away with that? == DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], are hard enough to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. == Can we fix that? == The solution to this problem, described in [http://tools.ietf.org/html/rfc2827.html RFC2827], which was written some 13 years ago by Paul Ferguson and Daniel Senie, is to block IP packets [[ingress filtering|entering the internet]] which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled with manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. == Isn't that complicated? == In general: '''no'''. BCP38 filtering to block these packets is most easily handled right at the very edge of the Internet: where customer links terminate in the first piece of provider 'aggregation' gear, like a router, DSLAM, or CMTS. Much to most of this gear already has a 'knob' which can be turned on, which simply drops these packets on the floor as they come in from the customer's PC. == So why don't people do it? == Many different reasons. Some people don't know they can; some don't know they should; some purposefully think they shouldn't. '''In almost all cases, for almost all networks, the answer is actually "yes, you should, and no, it's not really hard." We'll cover that in much more detail inside this website.''' <br> <br> <hr> <hr> <br> The purpose of this website is to: * explain in depth why source IP address spoofing happens - why IP packets might arrive at a network with a source address that isn't expected * give some examples of why this might happen legitimately and because of bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. Our goal in setting up BCP38.info is to make clear that there's a problem, explain what the problem is, and ''give you practical advice on what you can do to help solve it''. <div style="border: solid 1px; border-color: blue; margin: 1em; padding: 1em; background-color: lightblue;"> '''At various places in this wiki, you'll find definitions of things which are sometimes subject to some dispute; if you have a major dispute with how something is presented, please let us work it out on the Talk pages, rather than engage in revert wars on actual articles, might we?''' '''This site is a wiki; we encourage those of you who have domain-specific knowledge on how and why BCP38 filtering works to register and contribute it. There are still several major articles that haven't been completed yet, primarily because they pertain to networks larger than mine. :-)'''</div> = Information by Audience = '''End customers''' * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] '''Network Providers''' * [[Information for 'eyeball' networks]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] '''...and the ever popular''' * [[Information for equipment manufacturers]] '''And, finally, some backgrounders''' * [https://queue.acm.org/detail.cfm?id=2578510 Paul Vixie on the Stupid Network] = Other Resources = * [[How To's]] - Collection of articles about identification, configuration and prevention. f74ed71ee2fc457e37be301237764147f9bcdd90 184 160 2016-09-25T14:40:07Z Baylink 4 /* What?? */ {{Languages}} __NOTOC__ [[File:BCP38_DHCP.png|thumb|right|top|431px|An example of BCP38 implementation in a large DHCP-addressed network]] This is '''BCP38.info'''. What's BCP38? [[BCP]]38 is '''[[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'''. So this site is documentation that explains these attacks, and education that tells network operators how to configure their networks to prevent them. == What?? == Well, the gritty details are under those links, but in short, these are attacks launched across the Internet to take websites and other services off the air, often utilizing 'bots' on home and business PCs which the owners don't even know are there. These can be [https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/ really big attacks]; if enough of them are running at the same time, aimed at strategically significant targets, they could [https://www.schneier.com/blog/archives/2016/09/someone_is_lear.html take down the internet]. No. We're not making this up. Yes, it matters. == How do they get away with that? == DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], are hard enough to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. == Can we fix that? == The solution to this problem, described in [http://tools.ietf.org/html/rfc2827.html RFC2827], which was written some 13 years ago by Paul Ferguson and Daniel Senie, is to block IP packets [[ingress filtering|entering the internet]] which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled with manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. == Isn't that complicated? == In general: '''no'''. BCP38 filtering to block these packets is most easily handled right at the very edge of the Internet: where customer links terminate in the first piece of provider 'aggregation' gear, like a router, DSLAM, or CMTS. Much to most of this gear already has a 'knob' which can be turned on, which simply drops these packets on the floor as they come in from the customer's PC. == So why don't people do it? == Many different reasons. Some people don't know they can; some don't know they should; some purposefully think they shouldn't. '''In almost all cases, for almost all networks, the answer is actually "yes, you should, and no, it's not really hard." We'll cover that in much more detail inside this website.''' <br> <br> <hr> <hr> <br> The purpose of this website is to: * explain in depth why source IP address spoofing happens - why IP packets might arrive at a network with a source address that isn't expected * give some examples of why this might happen legitimately and because of bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. Our goal in setting up BCP38.info is to make clear that there's a problem, explain what the problem is, and ''give you practical advice on what you can do to help solve it''. <div style="border: solid 1px; border-color: blue; margin: 1em; padding: 1em; background-color: lightblue;"> '''At various places in this wiki, you'll find definitions of things which are sometimes subject to some dispute; if you have a major dispute with how something is presented, please let us work it out on the Talk pages, rather than engage in revert wars on actual articles, might we?''' '''This site is a wiki; we encourage those of you who have domain-specific knowledge on how and why BCP38 filtering works to register and contribute it. There are still several major articles that haven't been completed yet, primarily because the pertain to networks larger than mine. :-)''' '''So, for the moment, contribute, but don't publicize.'''</div> = Information by Audience = '''End customers''' * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] '''Network Providers''' * [[Information for 'eyeball' networks]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] '''...and the ever popular''' * [[Information for equipment manufacturers]] '''And, finally, some backgrounders''' * [https://queue.acm.org/detail.cfm?id=2578510 Paul Vixie on the Stupid Network] = Other Resources = * [[How To's]] - Collection of articles about identification, configuration and prevention. 25e6801b02ce33b2f669aff3e18709a075b697fd 160 154 2014-10-16T16:33:23Z Baylink 4 {{Languages}} __NOTOC__ [[File:BCP38_DHCP.png|thumb|right|top|431px|An example of BCP38 implementation in a large DHCP-addressed network]] This is '''BCP38.info'''. What's BCP38? [[BCP]]38 is '''[[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'''. So this site is documentation that explains these attacks, and education that tells network operators how to configure their networks to prevent them. == What?? == Well, the gritty details are under those links, but in short, these are attacks launched across the Internet to take websites and other services off the air, often utilizing 'bots' on home and business PCs which the owners don't even know are there. == How do they get away with that? == DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], are hard enough to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. == Can we fix that? == The solution to this problem, described in [http://tools.ietf.org/html/rfc2827.html RFC2827], which was written some 13 years ago by Paul Ferguson and Daniel Senie, is to block IP packets [[ingress filtering|entering the internet]] which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled with manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. == Isn't that complicated? == In general: '''no'''. BCP38 filtering to block these packets is most easily handled right at the very edge of the Internet: where customer links terminate in the first piece of provider 'aggregation' gear, like a router, DSLAM, or CMTS. Much to most of this gear already has a 'knob' which can be turned on, which simply drops these packets on the floor as they come in from the customer's PC. == So why don't people do it? == Many different reasons. Some people don't know they can; some don't know they should; some purposefully think they shouldn't. '''In almost all cases, for almost all networks, the answer is actually "yes, you should, and no, it's not really hard." We'll cover that in much more detail inside this website.''' <br> <br> <hr> <hr> <br> The purpose of this website is to: * explain in depth why source IP address spoofing happens - why IP packets might arrive at a network with a source address that isn't expected * give some examples of why this might happen legitimately and because of bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. Our goal in setting up BCP38.info is to make clear that there's a problem, explain what the problem is, and ''give you practical advice on what you can do to help solve it''. <div style="border: solid 1px; border-color: blue; margin: 1em; padding: 1em; background-color: lightblue;"> '''At various places in this wiki, you'll find definitions of things which are sometimes subject to some dispute; if you have a major dispute with how something is presented, please let us work it out on the Talk pages, rather than engage in revert wars on actual articles, might we?''' '''This site is a wiki; we encourage those of you who have domain-specific knowledge on how and why BCP38 filtering works to register and contribute it. There are still several major articles that haven't been completed yet, primarily because the pertain to networks larger than mine. :-)''' '''So, for the moment, contribute, but don't publicize.'''</div> = Information by Audience = '''End customers''' * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] '''Network Providers''' * [[Information for 'eyeball' networks]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] '''...and the ever popular''' * [[Information for equipment manufacturers]] '''And, finally, some backgrounders''' * [https://queue.acm.org/detail.cfm?id=2578510 Paul Vixie on the Stupid Network] = Other Resources = * [[How To's]] - Collection of articles about identification, configuration and prevention. 09bb62e3b8900fa2e8eb760ecf19623225c310cd 154 151 2014-02-09T02:17:52Z Baylink 4 /* Information by Audience */ {{Languages}} __NOTOC__ [[File:BCP38_DHCP.png|thumb|right|top|431px|An example of BCP38 implementation in a large DHCP-addressed network]] This is '''BCP38.info'''. What's BCP38? [[BCP]]38 is '''[[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'''. So this site is documentation and education that explains these attacks, and tells network operators how best to avoid them. == What?? == Well, the gritty details are under those links, but in short, these are attacks launched across the Internet to take websites and other services off the air, often utilizing 'bots' on home and business PCs which the owners don't even know are there. == How do they get away with that? == DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], are hard enough to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. == Can we fix that? == The solution to this problem, described in [http://tools.ietf.org/html/rfc2827.html RFC2827], which was written some 13 years ago by Paul Ferguson and Daniel Senie, is to block IP packets [[ingress filtering|entering the internet]] which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled with manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. == Isn't that complicated? == In general: '''no'''. BCP38 filtering to block these packets is most easily handled right at the very edge of the Internet: where customer links terminate in the first piece of provider 'aggregation' gear, like a router, DSLAM, or CMTS. Much to most of this gear already has a 'knob' which can be turned on, which simply drops these packets on the floor as they come in from the customer's PC. == So why don't people do it? == Many different reasons. Some people don't know they can; some don't know they should; some purposefully think they shouldn't. '''In almost all cases, for almost all networks, the answer is actually "yes, you should, and no, it's not really hard." We'll cover that in much more detail inside this website.''' <br> <br> <hr> <hr> <br> The purpose of this website is to: * explain in depth why source IP address spoofing happens - why IP packets might arrive at a network with a source address that isn't expected * give some examples of why this might happen legitimately and because of bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. Our goal in setting up BCP38.info is to make clear that there's a problem, explain what the problem is, and ''give you practical advice on what you can do to help solve it''. <div style="border: solid 1px; border-color: blue; margin: 1em; padding: 1em; background-color: lightblue;"> '''At various places in this wiki, you'll find definitions of things which are sometimes subject to some dispute; if you have a major dispute with how something is presented, please let us work it out on the Talk pages, rather than engage in revert wars on actual articles, might we?''' '''This site is a wiki; we encourage those of you who have domain-specific knowledge on how and why BCP38 filtering works to register and contribute it. There are still several major articles that haven't been completed yet, primarily because the pertain to networks larger than mine. :-)''' '''So, for the moment, contribute, but don't publicize.'''</div> = Information by Audience = '''End customers''' * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] '''Network Providers''' * [[Information for 'eyeball' networks]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] '''...and the ever popular''' * [[Information for equipment manufacturers]] '''And, finally, some backgrounders''' * [https://queue.acm.org/detail.cfm?id=2578510 Paul Vixie on the Stupid Network] = Other Resources = * [[How To's]] - Collection of articles about identification, configuration and prevention. c3e21c12b85a12f0da792bd7ecf9f0a722c1806c 151 126 2014-01-26T00:49:30Z Baylink 4 /* Information by Audience */ {{Languages}} __NOTOC__ [[File:BCP38_DHCP.png|thumb|right|top|431px|An example of BCP38 implementation in a large DHCP-addressed network]] This is '''BCP38.info'''. What's BCP38? [[BCP]]38 is '''[[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'''. So this site is documentation and education that explains these attacks, and tells network operators how best to avoid them. == What?? == Well, the gritty details are under those links, but in short, these are attacks launched across the Internet to take websites and other services off the air, often utilizing 'bots' on home and business PCs which the owners don't even know are there. == How do they get away with that? == DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], are hard enough to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. == Can we fix that? == The solution to this problem, described in [http://tools.ietf.org/html/rfc2827.html RFC2827], which was written some 13 years ago by Paul Ferguson and Daniel Senie, is to block IP packets [[ingress filtering|entering the internet]] which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled with manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. == Isn't that complicated? == In general: '''no'''. BCP38 filtering to block these packets is most easily handled right at the very edge of the Internet: where customer links terminate in the first piece of provider 'aggregation' gear, like a router, DSLAM, or CMTS. Much to most of this gear already has a 'knob' which can be turned on, which simply drops these packets on the floor as they come in from the customer's PC. == So why don't people do it? == Many different reasons. Some people don't know they can; some don't know they should; some purposefully think they shouldn't. '''In almost all cases, for almost all networks, the answer is actually "yes, you should, and no, it's not really hard." We'll cover that in much more detail inside this website.''' <br> <br> <hr> <hr> <br> The purpose of this website is to: * explain in depth why source IP address spoofing happens - why IP packets might arrive at a network with a source address that isn't expected * give some examples of why this might happen legitimately and because of bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. Our goal in setting up BCP38.info is to make clear that there's a problem, explain what the problem is, and ''give you practical advice on what you can do to help solve it''. <div style="border: solid 1px; border-color: blue; margin: 1em; padding: 1em; background-color: lightblue;"> '''At various places in this wiki, you'll find definitions of things which are sometimes subject to some dispute; if you have a major dispute with how something is presented, please let us work it out on the Talk pages, rather than engage in revert wars on actual articles, might we?''' '''This site is a wiki; we encourage those of you who have domain-specific knowledge on how and why BCP38 filtering works to register and contribute it. There are still several major articles that haven't been completed yet, primarily because the pertain to networks larger than mine. :-)''' '''So, for the moment, contribute, but don't publicize.'''</div> = Information by Audience = '''End customers''' * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] '''Network Providers''' * [[Information for 'eyeball' networks]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] '''...and the ever popular''' * [[Information for equipment manufacturers]] = Other Resources = * [[How To's]] - Collection of articles about identification, configuration and prevention. 80f6ef8d6cac0a706f634a9f816372ffb475c44a 126 125 2014-01-23T17:41:41Z Baylink 4 /* So why don't people do it? */ {{Languages}} __NOTOC__ [[File:BCP38_DHCP.png|thumb|right|top|431px|An example of BCP38 implementation in a large DHCP-addressed network]] This is '''BCP38.info'''. What's BCP38? [[BCP]]38 is '''[[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'''. So this site is documentation and education that explains these attacks, and tells network operators how best to avoid them. == What?? == Well, the gritty details are under those links, but in short, these are attacks launched across the Internet to take websites and other services off the air, often utilizing 'bots' on home and business PCs which the owners don't even know are there. == How do they get away with that? == DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], are hard enough to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. == Can we fix that? == The solution to this problem, described in [http://tools.ietf.org/html/rfc2827.html RFC2827], which was written some 13 years ago by Paul Ferguson and Daniel Senie, is to block IP packets [[ingress filtering|entering the internet]] which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled with manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. == Isn't that complicated? == In general: '''no'''. BCP38 filtering to block these packets is most easily handled right at the very edge of the Internet: where customer links terminate in the first piece of provider 'aggregation' gear, like a router, DSLAM, or CMTS. Much to most of this gear already has a 'knob' which can be turned on, which simply drops these packets on the floor as they come in from the customer's PC. == So why don't people do it? == Many different reasons. Some people don't know they can; some don't know they should; some purposefully think they shouldn't. '''In almost all cases, for almost all networks, the answer is actually "yes, you should, and no, it's not really hard." We'll cover that in much more detail inside this website.''' <br> <br> <hr> <hr> <br> The purpose of this website is to: * explain in depth why source IP address spoofing happens - why IP packets might arrive at a network with a source address that isn't expected * give some examples of why this might happen legitimately and because of bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. Our goal in setting up BCP38.info is to make clear that there's a problem, explain what the problem is, and ''give you practical advice on what you can do to help solve it''. <div style="border: solid 1px; border-color: blue; margin: 1em; padding: 1em; background-color: lightblue;"> '''At various places in this wiki, you'll find definitions of things which are sometimes subject to some dispute; if you have a major dispute with how something is presented, please let us work it out on the Talk pages, rather than engage in revert wars on actual articles, might we?''' '''This site is a wiki; we encourage those of you who have domain-specific knowledge on how and why BCP38 filtering works to register and contribute it. There are still several major articles that haven't been completed yet, primarily because the pertain to networks larger than mine. :-)''' '''So, for the moment, contribute, but don't publicize.'''</div> = Information by Audience = '''End customers''' * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] '''Network Providers''' * [[Information for 'eyeball' networks]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] = Other Resources = * [[How To's]] - Collection of articles about identification, configuration and prevention. d2be29baab0d6d31cc06a159d43cd857817f7308 125 114 2014-01-18T22:47:21Z Baylink 4 refactor meta box {{Languages}} __NOTOC__ [[File:BCP38_DHCP.png|thumb|right|top|431px|An example of BCP38 implementation in a large DHCP-addressed network]] This is '''BCP38.info'''. What's BCP38? [[BCP]]38 is '''[[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'''. So this site is documentation and education that explains these attacks, and tells network operators how best to avoid them. == What?? == Well, the gritty details are under those links, but in short, these are attacks launched across the Internet to take websites and other services off the air, often utilizing 'bots' on home and business PCs which the owners don't even know are there. == How do they get away with that? == DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], are hard enough to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. == Can we fix that? == The solution to this problem, described in [http://tools.ietf.org/html/rfc2827.html RFC2827], which was written some 13 years ago by Paul Ferguson and Daniel Senie, is to block IP packets [[ingress filtering|entering the internet]] which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled with manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. == Isn't that complicated? == In general: '''no'''. BCP38 filtering to block these packets is most easily handled right at the very edge of the Internet: where customer links terminate in the first piece of provider 'aggregation' gear, like a router, DSLAM, or CMTS. Much to most of this gear already has a 'knob' which can be turned on, which simply drops these packets on the floor as they come in from the customer's PC. == So why don't people do it? == Many different reasons. Some people don't know they can; some don't know they should; some purposefully think they shouldn't. '''In almost all cases, for almost all customers, the answer is actually "yes, you should, and no, it's not really hard." We'll cover that in much more detail inside this website.''' <br> <hr> <hr> <br> The purpose of this website is to: * explain in depth why source IP address spoofing happens - why IP packets might arrive at a network with a source address that isn't expected * give some examples of why this might happen legitimately and because of bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. Our goal in setting up BCP38.info is to make clear that there's a problem, explain what the problem is, and ''give you practical advice on what you can do to help solve it''. <div style="border: solid 1px; border-color: blue; margin: 1em; padding: 1em; background-color: lightblue;"> '''At various places in this wiki, you'll find definitions of things which are sometimes subject to some dispute; if you have a major dispute with how something is presented, please let us work it out on the Talk pages, rather than engage in revert wars on actual articles, might we?''' '''This site is a wiki; we encourage those of you who have domain-specific knowledge on how and why BCP38 filtering works to register and contribute it. There are still several major articles that haven't been completed yet, primarily because the pertain to networks larger than mine. :-)''' '''So, for the moment, contribute, but don't publicize.'''</div> = Information by Audience = '''End customers''' * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] '''Network Providers''' * [[Information for 'eyeball' networks]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] = Other Resources = * [[How To's]] - Collection of articles about identification, configuration and prevention. 8cd8521dc041bc3fe2fc8073c5a0904a1f86ff0b 114 113 2014-01-17T03:00:02Z Baylink 4 {{Languages}} __NOTOC__ [[File:BCP38_DHCP.png|thumb|right|top|431px|An example of BCP38 implementation in a large DHCP-addressed network]] This is '''BCP38.info'''. What's BCP38? [[BCP]]38 is '''[[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'''. So this site is documentation and education that explains these attacks, and tells network operators how best to avoid them. == What?? == Well, the gritty details are under those links, but in short, these are attacks launched across the Internet to take websites and other services off the air, often utilizing 'bots' on home and business PCs which the owners don't even know are there. == How do they get away with that? == DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], are hard enough to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. == Can we fix that? == The solution to this problem, described in [http://tools.ietf.org/html/rfc2827.html RFC2827], which was written some 13 years ago by Paul Ferguson and Daniel Senie, is to block IP packets [[ingress filtering|entering the internet]] which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled with manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. == Isn't that complicated? == In general: '''no'''. BCP38 filtering to block these packets is most easily handled right at the very edge of the Internet: where customer links terminate in the first piece of provider 'aggregation' gear, like a router, DSLAM, or CMTS. Much to most of this gear already has a 'knob' which can be turned on, which simply drops these packets on the floor as they come in from the customer's PC. == So why don't people do it? == Many different reasons. Some people don't know they can; some don't know they should; some purposefully think they shouldn't. '''In almost all cases, for almost all customers, the answer is actually "yes, you should, and no, it's not really hard." We'll cover that in much more detail inside this website.''' <br> <hr> <hr> <br> The purpose of this website is to: * explain in depth why source IP address spoofing happens - why IP packets might arrive at a network with a source address that isn't expected * give some examples of why this might happen legitimately and because of bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. Our goal in setting up BCP38.info is to make clear that there's a problem, explain what the problem is, and ''give you practical advice on what you can do to help solve it''. <div style="border: solid 1px; border-color: blue; margin: 1em; padding: 1em; background-color: lightblue;"> '''At various places in this wiki, you'll find definitions of things which are sometimes subject to some dispute; if you have a major dispute with how something is presented, please let us work it out on the Talk pages, rather than engage in revert wars on actual articles, might we?''' '''This site will always be a Work In Progress, but now more than somewhat; be gentle with it until this notice disappears (probably sometime this coming week; in particular, my skills are in wiki editory, not configuring routers; I propose to let some people who do know how to do that put in some content, and then organize it a bit and expand it for a general audience where necessary).''' '''So, for the moment, contribute, but don't publicize.</div> = Information by Audience = '''End customers''' * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] '''Network Providers''' * [[Information for 'eyeball' networks]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] = Other Resources = * [[How To's]] - Collection of articles about identification, configuration and prevention. 319ff74cf0d12350af740ef06581e60d2f90b9f4 113 112 2014-01-17T02:57:05Z Baylink 4 {{Languages}} __NOTOC__ [[File:BCP38_DHCP.png|thumb|right|top|431px|An example of BCP38 implementation in a large DHCP-addressed network]] This is '''BCP38.info'''. What's BCP38? [[BCP]]38 is '''[[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'''. That is, it's a document that explains these attacks, and tells network operators how best to avoid them. == What?? == Well, the gritty details are under those links, but in short, these are attacks launched across the Internet to take websites and other services off the air, often utilizing 'bots' on home and business PCs which the owners don't even know are there. == How do they get away with that? == DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], are hard enough to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. == Can we fix that? == The solution to this problem, described in [http://tools.ietf.org/html/rfc2827.html RFC2827], which was written some 13 years ago by Paul Ferguson and Daniel Senie, is to block IP packets [[ingress filtering|entering the internet]] which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled with manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. == Isn't that complicated? == In general: '''no'''. BCP38 filtering to block these packets is most easily handled right at the very edge of the Internet: where customer links terminate in the first piece of provider 'aggregation' gear, like a router, DSLAM, or CMTS. Much to most of this gear already has a 'knob' which can be turned on, which simply drops these packets on the floor as they come in from the customer's PC. == So why don't people do it? == Many different reasons. Some people don't know they can; some don't know they should; some purposefully think they shouldn't. '''In almost all cases, for almost all customers, the answer is actually "yes, you should, and no, it's not really hard." We'll cover that in much more detail inside this website.''' <br> <hr> <hr> <br> The purpose of this website is to: * explain in depth why source IP address spoofing happens - why IP packets might arrive at a network with a source address that isn't expected * give some examples of why this might happen legitimately and because of bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. Our goal in setting up BCP38.info is to make clear that there's a problem, explain what the problem is, and ''give you practical advice on what you can do to help solve it''. <div style="border: solid 1px; border-color: blue; margin: 1em; padding: 1em; background-color: lightblue;"> '''At various places in this wiki, you'll find definitions of things which are sometimes subject to some dispute; if you have a major dispute with how something is presented, please let us work it out on the Talk pages, rather than engage in revert wars on actual articles, might we?''' '''This site will always be a Work In Progress, but now more than somewhat; be gentle with it until this notice disappears (probably sometime this coming week; in particular, my skills are in wiki editory, not configuring routers; I propose to let some people who do know how to do that put in some content, and then organize it a bit and expand it for a general audience where necessary).''' '''So, for the moment, contribute, but don't publicize.</div> = Information by Audience = '''End customers''' * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] '''Network Providers''' * [[Information for 'eyeball' networks]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] = Other Resources = * [[How To's]] - Collection of articles about identification, configuration and prevention. a54cb1a6d45708fb31e4c8f171c220e3888c3fd1 112 104 2014-01-17T02:55:42Z Baylink 4 Refactor front page a bit for C-level audiences, the actual target. {{Languages}} [[File:BCP38_DHCP.png|thumb|right|top|431px|An example of BCP38 implementation in a large DHCP-addressed network]] This is '''BCP38.info'''. What's BCP38? [[BCP]]38 is '''[[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'''. That is, it's a document that explains these attacks, and tells network operators how best to avoid them. == What?? == Well, the gritty details are under those links, but in short, these are attacks launched across the Internet to take websites and other services off the air, often utilizing 'bots' on home and business PCs which their owners don't even know they're there. == How do they get away with that? == DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], are hard enough to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. == Can we fix that? == The solution to this problem, described in [http://tools.ietf.org/html/rfc2827.html RFC2827], which was written some 13 years ago by Paul Ferguson and Daniel Senie, is to block IP packets [[ingress filtering|entering the internet]] which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled with manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. == Isn't that complicated? == In general: '''no'''. BCP38 filtering to block these packets is most easily handled right at the very edge of the Internet: where customer links terminate in the first piece of provider 'aggregation' gear, like a router, DSLAM, or CMTS. Much to most of this gear already has a 'knob' which can be turned on, which simply drops these packets on the floor as they come in from the customer's PC. == So why don't people do it? == Many different reasons. Some people don't know they can; some don't know they should; some purposefully think they shouldn't. '''In almost all cases, for almost all customers, the answer is actually "yes, you should, and no, it's not really hard." We'll cover that in much more detail inside this website.''' <br> <hr> <hr> <br> The purpose of this website is to: * explain in depth why source IP address spoofing happens - why IP packets might arrive at a network with a source address that isn't expected * give some examples of why this might happen legitimately and because of bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. Our goal in setting up BCP38.info is to make clear that there's a problem, explain what the problem is, and ''give you practical advice on what you can do to help solve it''. <div style="border: solid 1px; border-color: blue; margin: 1em; padding: 1em; background-color: lightblue;"> '''At various places in this wiki, you'll find definitions of things which are sometimes subject to some dispute; if you have a major dispute with how something is presented, please let us work it out on the Talk pages, rather than engage in revert wars on actual articles, might we?''' '''This site will always be a Work In Progress, but now more than somewhat; be gentle with it until this notice disappears (probably sometime this coming week; in particular, my skills are in wiki editory, not configuring routers; I propose to let some people who do know how to do that put in some content, and then organize it a bit and expand it for a general audience where necessary).''' '''So, for the moment, contribute, but don't publicize.</div> = Information by Audience = '''End customers''' * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] '''Network Providers''' * [[Information for 'eyeball' networks]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] = Other Resources = * [[How To's]] - Collection of articles about identification, configuration and prevention. c5a06c4feff69a8a4216aca7a41892965e7c4a20 104 75 2013-04-08T17:55:09Z BCP38 Moderator 1 {{Languages}} [[File:BCP38_DHCP.png|thumb|right|top|431px|An example of BCP38 implementation in a large DHCP-addressed network]] This is '''BCP38.info'''. What's BCP38? [[BCP]]38 is '''[[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'''. That is, it's a document that explains these attacks, and tells network operators how best to avoid them. DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], can be difficult to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. The solution to this problem, described in [http://tools.ietf.org/html/rfc2827.html RFC2827], which was written some 13 years ago by Paul Ferguson and Daniel Senie, is to block IP packets [[ingress filtering|entering the internet]] which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled as manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. <br> <hr> <hr> <br> The purpose of this website is to: * explain in depth why source IP address spoofing happens - why IP packets might arrive at a network with a source address that isn't expected * give some examples of why this might happen legitimately and because of bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. Our goal in setting up BCP38.info is to make clear that there's a problem, explain what the problem is, and ''give you practical advice on what you can do to help solve it''. <div style="border: solid 1px; border-color: blue; margin: 1em; padding: 1em; background-color: lightblue;"> '''At various places in this wiki, you'll find definitions of things which are sometimes subject to some dispute; if you have a major dispute with how something is presented, please let us work it out on the Talk pages, rather than engage in revert wars on actual articles, might we?''' '''This site will always be a Work In Progress, but now more than somewhat; be gentle with it until this notice disappears (probably sometime this coming week; in particular, my skills are in wiki editory, not configuring routers; I propose to let some people who do know how to do that put in some content, and then organize it a bit and expand it for a general audience where necessary).''' '''So, for the moment, contribute, but don't publicize.</div> = Information by Audience = '''End customers''' * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] '''Network Providers''' * [[Information for 'eyeball' networks]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] = Other Resources = * [[How To's]] - Collection of articles about identification, configuration and prevention. c6621d8aef782568f3e0986a5e82b888a7e7c8b0 75 55 2013-04-04T21:12:48Z Baylink 4 [[File:BCP38_DHCP.png|thumb|right|top|431px|An example of BCP38 implementation in a large DHCP-addressed network]] This is '''BCP38.info'''. What's BCP38? [[BCP]]38 is '''[[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'''. That is, it's a document that explains these attacks, and tells network operators how best to avoid them. DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], can be difficult to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. The solution to this problem, described in [http://tools.ietf.org/html/rfc2827.html RFC2827], which was written some 13 years ago by Paul Ferguson and Daniel Senie, is to block IP packets [[ingress filtering|entering the internet]] which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled as manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. <br> <hr> <hr> <br> The purpose of this website is to: * explain in depth why source IP address spoofing happens - why IP packets might arrive at a network with a source address that isn't expected * give some examples of why this might happen legitimately and because of bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. Our goal in setting up BCP38.info is to make clear that there's a problem, explain what the problem is, and ''give you practical advice on what you can do to help solve it''. <div style="border: solid 1px; border-color: blue; margin: 1em; padding: 1em; background-color: lightblue;"> '''At various places in this wiki, you'll find definitions of things which are sometimes subject to some dispute; if you have a major dispute with how something is presented, please let us work it out on the Talk pages, rather than engage in revert wars on actual articles, might we?''' '''This site will always be a Work In Progress, but now more than somewhat; be gentle with it until this notice disappears (probably sometime this coming week; in particular, my skills are in wiki editory, not configuring routers; I propose to let some people who do know how to do that put in some content, and then organize it a bit and expand it for a general audience where necessary).''' '''So, for the moment, contribute, but don't publicize.</div> = Information by Audience = '''End customers''' * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] '''Network Providers''' * [[Information for 'eyeball' networks]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] = Other Resources = * [[How To's]] - Collection of articles about identification, configuration and prevention. c303152af7d880f9a0761d01b75614893c4e5a2f 55 54 2013-03-31T15:32:47Z Baylink 4 [[File:BCP38_DHCP.png|thumb|right|top|431px|An example of BCP38 implementation in a large DHCP-addressed network]] This is '''BCP38.info'''. What's BCP38? [[BCP]]38 is '''[[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'''. That is, it's a document that explains these attacks, and tells network operators how best to avoid them. DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], can be difficult to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. The solution to this problem, described in [http://tools.ietf.org/html/rfc2827.html RFC2827], which was written some 13 years ago by Paul Ferguson and Daniel Senie, is to block IP packets entering the internet which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled as manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. <br> <hr> <hr> <br> The purpose of this website is to: * explain in depth why source IP address spoofing happens - why IP packets might arrive at a network with a source address that isn't expected * give some examples of why this might happen legitimately and because of bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. Our goal in setting up BCP38.info is to make clear that there's a problem, explain what the problem is, and ''give you practical advice on what you can do to help solve it''. <div style="border: solid 1px; border-color: blue; margin: 1em; padding: 1em; background-color: lightblue;"> '''At various places in this wiki, you'll find definitions of things which are sometimes subject to some dispute; if you have a major dispute with how something is presented, please let us work it out on the Talk pages, rather than engage in revert wars on actual articles, might we?''' '''This site will always be a Work In Progress, but now more than somewhat; be gentle with it until this notice disappears (probably sometime this coming week; in particular, my skills are in wiki editory, not configuring routers; I propose to let some people who do know how to do that put in some content, and then organize it a bit and expand it for a general audience where necessary).''' '''So, for the moment, contribute, but don't publicize.</div> = Information by Audience = '''End customers''' * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] '''Network Providers''' * [[Information for 'eyeball' networks]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] = Other Resources = * [[How To's]] - Collection of articles about identification, configuration and prevention. d98a0a7a1f9623716b120f77be6df0153d666483 54 48 2013-03-31T15:30:35Z Baylink 4 [[File:BCP38_DHCP.png|thumb|right|top|431px|An example of BCP38 implementation in a large DHCP-addressed network]] This is '''BCP38.info'''. What's BCP38? [[BCP]]38 is '''[[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'''. That is, it's a document that explains these attacks, and tells network operators how best to avoid them. DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], can be difficult to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. The solution to this problem, described in [http://tools.ietf.org/html/rfc2827.html RFC2827], which was written some 13 years ago by Paul Ferguson and Daniel Senie, is to block IP packets entering the internet which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled as manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. <br> <hr> <hr> <br> The purpose of this website is to: * explain in depth why source IP address spoofing happens - why IP packets might arrive at a network with a source address that isn't expected * give some examples of why this might happen legitimately and because of bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. Our goal in setting up BCP38.info is to make clear that there's a problem, explain what the problem is, and ''give you practical advice on what you can do to help solve it''. <div style="border: solid 1px; border-color: blue; margin: 1em; padding: 1em; background-color: lightblue;"> '''At various places in this wiki, you'll find definitions of things which are sometimes subject to some dispute; if you have a major dispute with how something is presented, please let us work it out on the Talk pages, rather than engage in revert wars on actual articles, might we?''' '''This site will always be a Work In Progress, but now more than somewhat; be gentle with it until this notice disappears (probably sometime this coming week; in particular, my skills are in wiki editory, not configuring routers; I propose to let some people who do know how to do that put in some content, and then organize it a bit and expand it for a general audience where necessary).''' '''So, for the moment, contribute, but don't publicize.</div> = Information by Audience = '''End customers''' * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] '''Network Providers''' * [[Information for 'eyeball' networks]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] = Other Resources = * [[How To's]] - Collection of articles about identification, configuration and prevention. 3d1e0878aaba8acffd6c4f9b4087a423a0f4c76d 48 39 2013-03-31T15:13:05Z Baylink 4 /* Information by Audience */ [[File:BCP38_DHCP.png|thumb|right|top|431px|An example of BCP38 implementation in a large DHCP-addressed network]] This is '''BCP38.info'''. What's BCP38? [[BCP]]38 is '''[[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'''. That is, it's a document that explains these attacks, and tells network operators how best to avoid them. DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], can be difficult to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. The solution to this problem, described in [http://tools.ietf.org/html/rfc2827.html RFC2827], which was written some 13 years ago by Paul Ferguson and Daniel Senie, is to block IP packets entering the internet which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled as manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. <br> <hr> <hr> <br> The purpose of this website is to: * explain in depth why source IP address spoofing happens - why IP packets might arrive at a network with a source address that isn't expected * give some examples of why this might happen legitimately and because of bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. Our goal in setting up BCP38.info is to make clear that there's a problem, explain what the problem is, and ''give you practical advice on what you can do to help solve it''. '''This site will always be a Work In Progress, but now more than somewhat; be gentle with it until this notice disappears (probably sometime this coming week; in particular, my skills are in wiki editory, not configuring routers; I propose to let some people who do know how to do that put in some content, and then organize it a bit and expand it for a general audience where necessary).''' = Information by Audience = '''End customers''' * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] '''Network Providers''' * [[Information for 'eyeball' networks]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] = Other Resources = * [[How To's]] - Collection of articles about identification, configuration and prevention. 293caae9008f64c45c60796abd486a38a1e63257 39 32 2013-03-31T02:45:46Z Baylink 4 [[File:BCP38_DHCP.png|thumb|right|top|431px|An example of BCP38 implementation in a large DHCP-addressed network]] This is '''BCP38.info'''. What's BCP38? [[BCP]]38 is '''[[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'''. That is, it's a document that explains these attacks, and tells network operators how best to avoid them. DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], can be difficult to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. The solution to this problem, described in [http://tools.ietf.org/html/rfc2827.html RFC2827], which was written some 13 years ago by Paul Ferguson and Daniel Senie, is to block IP packets entering the internet which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled as manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. <br> <hr> <hr> <br> The purpose of this website is to: * explain in depth why source IP address spoofing happens - why IP packets might arrive at a network with a source address that isn't expected * give some examples of why this might happen legitimately and because of bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. Our goal in setting up BCP38.info is to make clear that there's a problem, explain what the problem is, and ''give you practical advice on what you can do to help solve it''. '''This site will always be a Work In Progress, but now more than somewhat; be gentle with it until this notice disappears (probably sometime this coming week; in particular, my skills are in wiki editory, not configuring routers; I propose to let some people who do know how to do that put in some content, and then organize it a bit and expand it for a general audience where necessary).''' = Information by Audience = * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] = Other Resources = * [[How To's]] - Collection of articles about identification, configuration and prevention. 9629de78563bdb0b3c236df26cf1232b0060b06d 32 27 2013-03-30T23:46:11Z BCP38 Moderator 1 /* Other Resources */ [[File:BCP38_DHCP.png|thumb|right|top|431px|An example of BCP38 implementation in a large DHCP-addressed network]] This is '''BCP38.info'''. What's BCP38? [[BCP]]38 is '''[[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'''. That is, it's a document that explains these attacks, and tells network operators how best to avoid them. DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], can be difficult to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. The solution to this problem, described in [http://tools.ietf.org/html/rfc2827.html RFC2827], which was written some 13 years ago by Paul Ferguson and Daniel Senie, is to block IP packets entering the internet which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled as manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. <br> <hr> <hr> <br> The purpose of this website is to: * explain in depth why source IP address spoofing happens - why IP packets might arrive at a network with a source address that isn't expected * give some examples of why this might happen legitimately and because of bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. Our goal in setting up BCP38.info is to make clear that there's a problem, explain what the problem is, and ''give you practical advice on what you can do to help solve it''. '''This site will always be a Work In Progress, but now more than somewhat; be gentle with it until this notice disappears (probably sometime this coming week).''' = Information by Audience = * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] = Other Resources = * [[How To's]] - Collection of articles about identification, configuration and prevention. 4eb5d56a2a3fc2bc11963fe19d612866a4f1889b 27 25 2013-03-30T19:11:51Z Baylink 4 /* Information by Audience */ [[File:BCP38_DHCP.png|thumb|right|top|431px|An example of BCP38 implementation in a large DHCP-addressed network]] This is '''BCP38.info'''. What's BCP38? [[BCP]]38 is '''[[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'''. That is, it's a document that explains these attacks, and tells network operators how best to avoid them. DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], can be difficult to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. The solution to this problem, described in [http://tools.ietf.org/html/rfc2827.html RFC2827], which was written some 13 years ago by Paul Ferguson and Daniel Senie, is to block IP packets entering the internet which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled as manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. <br> <hr> <hr> <br> The purpose of this website is to: * explain in depth why source IP address spoofing happens - why IP packets might arrive at a network with a source address that isn't expected * give some examples of why this might happen legitimately and because of bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. Our goal in setting up BCP38.info is to make clear that there's a problem, explain what the problem is, and ''give you practical advice on what you can do to help solve it''. '''This site will always be a Work In Progress, but now more than somewhat; be gentle with it until this notice disappears (probably sometime this coming week).''' = Information by Audience = * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] = Other Resources = b25e808253f4c7841e6dd95860f12e1d7b50d758 25 24 2013-03-30T19:03:53Z Baylink 4 Add outlink to 2827 at IETF; credit Ferg and Senie [[File:BCP38_DHCP.png|thumb|right|top|431px|An example of BCP38 implementation in a large DHCP-addressed network]] This is '''BCP38.info'''. What's BCP38? [[BCP]]38 is '''[[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'''. That is, it's a document that explains these attacks, and tells network operators how best to avoid them. DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], can be difficult to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. The solution to this problem, described in [http://tools.ietf.org/html/rfc2827.html RFC2827], which was written some 13 years ago by Paul Ferguson and Daniel Senie, is to block IP packets entering the internet which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled as manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. <br> <hr> <hr> <br> The purpose of this website is to: * explain in depth why source IP address spoofing happens - why IP packets might arrive at a network with a source address that isn't expected * give some examples of why this might happen legitimately and because of bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. Our goal in setting up BCP38.info is to make clear that there's a problem, explain what the problem is, and ''give you practical advice on what you can do to help solve it''. '''This site will always be a Work In Progress, but now more than somewhat; be gentle with it until this notice disappears (probably sometime this coming week).''' = Information by Audience = * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] 8b8ec545f1a9169f25fdc5757708fcf4c3690927 24 21 2013-03-30T19:00:59Z Baylink 4 Reformat the front page a bit; include Barry Greene's illustration. [[File:BCP38_DHCP.png|thumb|right|top|431px|An example of BCP38 implementation in a large DHCP-addressed network]] This is '''BCP38.info'''. What's BCP38? [[BCP]]38 is '''[[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'''. That is, it's a document that explains these attacks, and tells network operators how best to avoid them. DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], can be difficult to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. The solution to this problem, described in RFC2827, which was published some 13 years ago, is to block IP packets entering the internet which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled as manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. <br> <hr> <hr> <br> The purpose of this website is to: * explain in depth why source IP address spoofing happens - why IP packets might arrive at a network with a source address that isn't expected * give some examples of why this might happen legitimately and because of bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. Our goal in setting up BCP38.info is to make clear that there's a problem, explain what the problem is, and ''give you practical advice on what you can do to help solve it''. '''This site will always be a Work In Progress, but now more than somewhat; be gentle with it until this notice disappears (probably sometime this coming week).''' = Information by Audience = * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] 951bd6561e2d0233f3b5c4caaccc23f7986c3256 21 20 2013-03-30T15:10:54Z Baylink 4 Tweak some language for clarity This is '''BCP38.info'''. What's BCP38? [[BCP]]38 is '''[[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'''. That is, it's a document that explains these attacks, and tells network operators how best to avoid them. DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], can be difficult to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. The solution to this problem, described in RFC2827, which was published some 13 years ago, is to block IP packets entering the internet which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled as manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. The purpose of this website is to: * explain in depth why source IP address spoofing happens - why IP packets might arrive at a network with a source address that isn't expected * give some examples of why this might happen legitimately and because of bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. '''This site will always be a Work In Progress, but now more than somewhat; be gentle with it until this notice disappears (probably sometime this coming week).''' = Information by Audience = * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] 398cd491830049f0d4a8805bd7edb3f01ee31ca2 20 19 2013-03-29T19:29:15Z Baylink 4 This is '''BCP38.info'''. What's BCP38? [[BCP]]38 is '''[[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'''. If RFC2827 is ever replaced as BCP38, we'll update this page. DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], can be difficult to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. The solution to this problem, described in RFC2827, which was published some 13 years ago, is to block IP packets entering the internet which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled as manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. The purpose of this website is to: * explain in depth why source IP address spoofing happens * give some examples of how it can be used legitimately and by bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. '''This site will always be a Work In Progress, but now more than somewhat; be gentle with it until this notice disappears (probably sometime this coming week).''' = Information by Audience = * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] 7a05c89ffaa82d0a746fbd8a5b5fb146280f6753 19 7 2013-03-29T17:44:39Z Baylink 4 This is '''BCP38.info'''. What's BCP38? [[BCP]]38 is [[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]. If RFC2827 is ever replaced as BCP38, we'll update this page. DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], can be difficult to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. The solution to this problem, described in RFC2827, which was published some 13 years ago, is to block IP packets entering the internet which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled as manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. The purpose of this website is to: * explain in depth why source IP address spoofing happens * give some examples of how it can be used legitimately and by bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. '''This site will always be a Work In Progress, but now more than somewhat; be gentle with it until this notice disappears (probably sometime this coming week).''' = Information by Audience = * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] 92703243245c1d717b6edfff236cc3773eeeb216 7 6 2013-03-29T15:49:33Z Baylink 4 This is '''BCP38.info'''. What's BCP38? [[BCP]]38 is [[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]. DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], can be difficult to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. The solution to this problem, described in RFC2827, which was published some 13 years ago, is to block IP packets entering the internet which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled as manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. The purpose of this website is to: * explain in depth why source IP address spoofing happens * give some examples of how it can be used legitimately and by bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. '''This site will always be a Work In Progress, but now more than somewhat; be gentle with it until this notice disappears (probably sometime this coming week).''' = Information by Audience = * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] efc88e0e0aa9adc0198de681eb3d649dbf82b51a 6 3 2013-03-29T15:48:59Z Baylink 4 This is '''BCP38.info'''. What's BCP38? [[BCP]]38 is [[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]. DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], can be difficult to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. The solution to this problem, described in RFC2827, which was published some 13 years ago, is to block IP packets entering the internet which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled as manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. The purpose of this website is to: * explain in depth why source IP address spoofing happens * give some examples of how it can be used legitimately and by bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. '''This site will always be a Work In Progress, but now more than somewhat; be gentle with it until this notice disappears (probably sometime this coming week.''' = Information by Audience = * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] 6b1aaf8dfa148da0c377975250fb2ae135d14888 3 2 2013-03-29T15:40:41Z Baylink 4 This is BCP38.info. What's BCP38? [[BCP]]38 is [[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]. DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], can be difficult to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. The solution to this problem, described in RFC2827, which was published some 13 years ago, is to block IP packets entering the internet which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled as manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. The purpose of this website is to: * explain in depth why source IP address spoofing happens * give some examples of how it can be used legitimately and by bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. '''This site will always be a Work In Progress, but now more than somewhat; be gentle with it until this notice disappears (probably sometime this coming week.''' = Information by Audience = * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] 39adb56705582f4f820a490bad2845554c865a2b 2 1 2013-03-29T15:39:53Z Baylink 4 First cut of home page This is BCP38.info. What's BCP38? BCP38 is [[RFC]]2827: Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]. DoS attacks, and their even nastier cousins [[Distributed Denial Of Service Attacks]], can be difficult to deal with, but if the packets which comprise the attack have forged source [[IP Addresses]], it not only becomes harder to stop the attack, it also becomes impossible to determine where it's actually coming from. The solution to this problem, described in RFC2827, which was published some 13 years ago, is to block IP packets entering the internet which have source IP addresses which are forged -- IP addresses that were not assigned to the device which is sending them. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled as manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. The purpose of this website is to: * explain in depth why source IP address spoofing happens * give some examples of how it can be used legitimately and by bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. '''This site will always be a Work In Progress, but now more than somewhat; be gentle with it until this notice disappears (probably sometime this coming week.''' = Information by Audience = * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] 9cc2ad996aab343d3165129bdf8fe70982a0537b 1 2013-03-28T20:04:26Z MediaWiki default 0 '''MediaWiki has been successfully installed.''' Consult the [//meta.wikimedia.org/wiki/Help:Contents User's Guide] for information on using the wiki software. == Getting started == * [//www.mediawiki.org/wiki/Manual:Configuration_settings Configuration settings list] * [//www.mediawiki.org/wiki/Manual:FAQ MediaWiki FAQ] * [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list] b7a3846f2c55072191227d89a3204fe379288fee 0 31 111 110 2013-04-09T13:44:46Z Huguei 9 {{Languages}} [[File:BCP38_DHCP.png|thumb|right|top|431px|Un ejemplo de implementación de BCP38 en una gran red direccionada por DHCP]] Esto es '''BCP38.info'''. ¿Qué es BCP38? El documento BCP38 corresponde al estándar '''RFC2827: Filtrado de redes en ingreso: derrotando los ataques de denegación de servicio que utilizan direcciones IP de origen falsificadas''' (''Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'', en el inglés original). Es decir, es un documento que explica estos ataques, y recomienda a los operadores de redes las mejores forma de evitarlos. Los ataques de Denegación de Servicio (DoS), y sus primos aún peores de Denegación de Servicio Distribuido (DDoS), siempre han sido difíciles de manejar. Y si a eso le sumamos que los paquetes que componen el ataque podrían tener su origen falsificado, no solo se hace más dificil detener el ataque, sino también se hace imposible deternimar desde dónde viene. La solución a este problema, descrito en el [http://tools.ietf.org/html/rfc2827.html RFC2827] escrito hace 13 años atrás por Paul Ferguson y Daniel Senie, es bloquear los paquetes IP en el momento de entrar a Internet si es que tienen direcciones IP falsificadas -- es decir, direcciones IP que no fueron asignadas al dispositivo que los está enviando. Existe un pequeño número de casos en los que esos paquetes ''not'' son fraudulentos, pero ese porcentaje es tan bajo que se pueden manejar como excepciones mantenidas a mano, incluso en ambientes donde tales paquetes serían bloqueados en su origen -- el título 'Filtrado en ingreso' mencionado en el RFC. <br> <hr> <hr> <br> Los objetivos de este sitio web son: * explicar en detalle por qué ocurren las falsificaciones de direcciones IP de origen - por qué los paquetes IP pueden llegar a una red con una dirección de origen que no es la esperable * dar algunos ejemplos de por qué esto puede suceder legítimamente, y también los casos debido a malos actores * mostrar los resultados posibles y cómo el filtrado en el origen puede hacer más simple su mitigación, y * explicar a los operadores de redes detalladamente: ** por qué deberían implementar BCP38 ** cómo implementarlo ** cuánto cuesta -- si es que hay algún costo -- ** qué daño colateral podría causar ** y lo más importante, cómo venderlo a sus jefes. Nuestro objetivo con BCP38.info es dejar en claro que hay un problema, explicar cuál es, y ''entregar consejos prácticos de qué se puede hacer para resolverlo''. = Información por Audiencia = '''Clientes Finales''' * [[Information_for_end-users/es|Información para usuarios finales]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] '''Proveedores de Red''' * [[Information for 'eyeball' networks]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] = Otros recursos = * [[How To's]] - Collection of articles about identification, configuration and prevention. c627f0a44af6b6d5f7571191ae88381578516be3 110 109 2013-04-09T13:44:16Z Huguei 9 {{Languages}} [[File:BCP38_DHCP.png|thumb|right|top|431px|Un ejemplo de implementación de BCP38 en una gran red direccionada por DHCP]] Esto es '''BCP38.info'''. ¿Qué es BCP38? El documento BCP38 corresponde al estándar '''RFC2827: Filtrado de redes en ingreso: derrotando los ataques de denegación de servicio que utilizan direcciones IP de origen falsificadas''' (''Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'', en el inglés original). Es decir, es un documento que explica estos ataques, y recomienda a los operadores de redes las mejores forma de evitarlos. Los ataques de Denegación de Servicio (DoS), y sus primos aún peores de Denegación de Servicio Distribuido (DDoS), siempre han sido difíciles de manejar. Y si a eso le sumamos que los paquetes que componen el ataque podrían tener su origen falsificado, no solo se hace más dificil detener el ataque, sino también se hace imposible deternimar desde dónde viene. La solución a este problema, descrito en el [http://tools.ietf.org/html/rfc2827.html RFC2827] escrito hace 13 años atrás por Paul Ferguson y Daniel Senie, es bloquear los paquetes IP en el momento de entrar a Internet si es que tienen direcciones IP falsificadas -- es decir, direcciones IP que no fueron asignadas al dispositivo que los está enviando. Existe un pequeño número de casos en los que esos paquetes ''not'' son fraudulentos, pero ese porcentaje es tan bajo que se pueden manejar como excepciones mantenidas a mano, incluso en ambientes donde tales paquetes serían bloqueados en su origen -- el título 'Filtrado en ingreso' mencionado en el RFC. <br> <hr> <hr> <br> Los objetivos de este sitio web son: * explicar en detalle por qué ocurren las falsificaciones de direcciones IP de origen - por qué los paquetes IP pueden llegar a una red con una dirección de origen que no es la esperable * dar algunos ejemplos de por qué esto puede suceder legítimamente, y también los casos debido a malos actores * mostrar los resultados posibles y cómo el filtrado en el origen puede hacer más simple su mitigación, y * explicar a los operadores de redes detalladamente: ** por qué deberían implementar BCP38 ** cómo implementarlo ** cuánto cuesta -- si es que hay algún costo -- ** qué daño colateral podría causar ** y lo más importante, cómo venderlo a sus jefes. Nuestro objetivo con BCP38.info es dejar en claro que hay un problema, explicar cuál es, y ''entregar consejos prácticos de qué se puede hacer para resolverlo''. = Información por Audiencia = '''Clientes Finales''' * [[Información para usuarios finales|Information_for_end-users/es]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] '''Proveedores de Red''' * [[Information for 'eyeball' networks]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] = Otros recursos = * [[How To's]] - Collection of articles about identification, configuration and prevention. 7931440f03135427dff16d719028fc3a20102faf 109 106 2013-04-09T13:43:39Z Huguei 9 {{Languages}} [[File:BCP38_DHCP.png|thumb|right|top|431px|Un ejemplo de implementación de BCP38 en una gran red direccionada por DHCP]] Esto es '''BCP38.info'''. ¿Qué es BCP38? El documento BCP38 corresponde al estándar '''RFC2827: Filtrado de redes en ingreso: derrotando los ataques de denegación de servicio que utilizan direcciones IP de origen falsificadas''' (''Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'', en el inglés original). Es decir, es un documento que explica estos ataques, y recomienda a los operadores de redes las mejores forma de evitarlos. Los ataques de Denegación de Servicio (DoS), y sus primos aún peores de Denegación de Servicio Distribuido (DDoS), siempre han sido difíciles de manejar. Y si a eso le sumamos que los paquetes que componen el ataque podrían tener su origen falsificado, no solo se hace más dificil detener el ataque, sino también se hace imposible deternimar desde dónde viene. La solución a este problema, descrito en el [http://tools.ietf.org/html/rfc2827.html RFC2827] escrito hace 13 años atrás por Paul Ferguson y Daniel Senie, es bloquear los paquetes IP en el momento de entrar a Internet si es que tienen direcciones IP falsificadas -- es decir, direcciones IP que no fueron asignadas al dispositivo que los está enviando. Existe un pequeño número de casos en los que esos paquetes ''not'' son fraudulentos, pero ese porcentaje es tan bajo que se pueden manejar como excepciones mantenidas a mano, incluso en ambientes donde tales paquetes serían bloqueados en su origen -- el título 'Filtrado en ingreso' mencionado en el RFC. <br> <hr> <hr> <br> Los objetivos de este sitio web son: * explicar en detalle por qué ocurren las falsificaciones de direcciones IP de origen - por qué los paquetes IP pueden llegar a una red con una dirección de origen que no es la esperable * dar algunos ejemplos de por qué esto puede suceder legítimamente, y también los casos debido a malos actores * mostrar los resultados posibles y cómo el filtrado en el origen puede hacer más simple su mitigación, y * explicar a los operadores de redes detalladamente: ** por qué deberían implementar BCP38 ** cómo implementarlo ** cuánto cuesta -- si es que hay algún costo -- ** qué daño colateral podría causar ** y lo más importante, cómo venderlo a sus jefes. Nuestro objetivo con BCP38.info es dejar en claro que hay un problema, explicar cuál es, y ''entregar consejos prácticos de qué se puede hacer para resolverlo''. = Información por Audiencia = '''Clientes Finales''' * [[Información para usuarios finales]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] '''Proveedores de Red''' * [[Information for 'eyeball' networks]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] = Otros recursos = * [[How To's]] - Collection of articles about identification, configuration and prevention. d11a182af709537c376c9ca8b09a6d18bf9fdf5c 106 105 2013-04-08T21:00:35Z Huguei 9 {{Languages}} [[File:BCP38_DHCP.png|thumb|right|top|431px|Un ejemplo de implementación de BCP38 en una gran red direccionada por DHCP]] Esto es '''BCP38.info'''. ¿Qué es BCP38? El documento BCP38 corresponde al estándar '''RFC2827: Filtrado de redes en ingreso: derrotando los ataques de denegación de servicio que utilizan direcciones IP de origen falsificadas''' (''Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'', en el inglés original). Es decir, es un documento que explica estos ataques, y recomienda a los operadores de redes las mejores forma de evitarlos. Los ataques de Denegación de Servicio (DoS), y sus primos aún peores de Denegación de Servicio Distribuido (DDoS), siempre han sido difíciles de manejar. Y si a eso le sumamos que los paquetes que componen el ataque podrían tener su origen falsificado, no solo se hace más dificil detener el ataque, sino también se hace imposible deternimar desde dónde viene. La solución a este problema, descrito en el [http://tools.ietf.org/html/rfc2827.html RFC2827] escrito hace 13 años atrás por Paul Ferguson y Daniel Senie, es bloquear los paquetes IP en el momento de entrar a Internet si es que tienen direcciones IP falsificadas -- es decir, direcciones IP que no fueron asignadas al dispositivo que los está enviando. Existe un pequeño número de casos en los que esos paquetes ''not'' son fraudulentos, pero ese porcentaje es tan bajo que se pueden manejar como excepciones mantenidas a mano, incluso en ambientes donde tales paquetes serían bloqueados en su origen -- el título 'Filtrado en ingreso' mencionado en el RFC. <br> <hr> <hr> <br> Los objetivos de este sitio web son: * explicar en detalle por qué ocurren las falsificaciones de direcciones IP de origen - por qué los paquetes IP pueden llegar a una red con una dirección de origen que no es la esperable * dar algunos ejemplos de por qué esto puede suceder legítimamente, y también los casos debido a malos actores * mostrar los resultados posibles y cómo el filtrado en el origen puede hacer más simple su mitigación, y * explicar a los operadores de redes detalladamente: ** por qué deberían implementar BCP38 ** cómo implementarlo ** cuánto cuesta -- si es que hay algún costo -- ** qué daño colateral podría causar ** y lo más importante, cómo venderlo a sus jefes. Nuestro objetivo con BCP38.info es dejar en claro que hay un problema, explicar cuál es, y ''entregar consejos prácticos de qué se puede hacer para resolverlo''. = Información por Audiencia = '''Clientes Finales''' * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] '''Proveedores de Red''' * [[Information for 'eyeball' networks]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] = Otros recursos = * [[How To's]] - Collection of articles about identification, configuration and prevention. 30e86f9a1789c145a6d72ba49d125421bf1b40e4 105 99 2013-04-08T17:55:29Z BCP38 Moderator 1 {{Languages}} [[File:BCP38_DHCP.png|thumb|right|top|431px|Un ejemplo de implementación de BCP38 en una gran red direccionada por DHCP]] Esto es '''BCP38.info'''. ¿Qué es BCP38? El documento BCP38 corresponde al estándar '''RFC2827: Filtrado de redes en ingreso: derrotando los ataques de denegación de servicio que utilizan direcciones IP de origen falsificadas''' (''Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'', en el inglés original). Es decir, es un documento que explica estos ataques, y recomienda a los operadores de redes las mejores forma de evitarlos. Los ataques de Denegación de Servicio (DoS), y sus primos aún peores de Denegación de Servicio Distribuido (DDoS), siempre son difíciles de manejar, pero si a eso le sumamos que los paquetes que componen el ataque tienen su origen falsificado, no solo hacen más dificil detener el ataque, sino también hace imposible deternimar desde dónde viene. La solución a este problema, descrito en el [http://tools.ietf.org/html/rfc2827.html RFC2827] escrito hace 13 años atrás por Paul Ferguson y Daniel Senie, es bloquear los paquetes IP en el momento de entrar a Internet si es que tienen direcciones IP falsificadas -- es decir, direcciones IP que no fueron asignadas al dispositivo que los está enviando. Existe un pequeño número de casos en los que esos paquetes ''not'' son fraudulentos, pero ese porcentaje es tan bajo que se pueden manejar como excepciones mantenidas a mano, incluso en ambientes donde tales paquetes serían bloqueados en su origen -- el título 'Filtrado en ingreso' mencionado en el RFC. <br> <hr> <hr> <br> Los objetivos de este sitio web son: * explicar en detalle por qué ocurren las falsificaciones de direcciones IP de origen - por qué los paquetes IP pueden llegar a una red con una dirección de origen que no es la esperable * dar algunos ejemplos de por qué esto puede suceder legítimamente, y los debidos a malos actores * mostrar los resultados posibles y cómo el filtrado en el origen puede hacer más simple su mitigación, y * explicar a los operadores de redes detalladamente: ** por qué deberían implementar BCP38 ** cómo implementarlo ** cuánto cuesta -- si es que hay algún costo -- ** qué daño colateral podría causar ** y lo más importante, cómo venderlo a sus jefes. Nuestro objetivo con BCP38.info es dejar en claro que hay un problema, explicar cuál es, y ''entregar consejos prácticos de qué se puede hacer para resolverlo''. <div style="border: solid 1px; border-color: blue; margin: 1em; padding: 1em; background-color: lightblue;"> '''At various places in this wiki, you'll find definitions of things which are sometimes subject to some dispute; if you have a major dispute with how something is presented, please let us work it out on the Talk pages, rather than engage in revert wars on actual articles, might we?''' '''This site will always be a Work In Progress, but now more than somewhat; be gentle with it until this notice disappears (probably sometime this coming week; in particular, my skills are in wiki editory, not configuring routers; I propose to let some people who do know how to do that put in some content, and then organize it a bit and expand it for a general audience where necessary).''' '''So, for the moment, contribute, but don't publicize.</div> = Information by Audience = '''End customers''' * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] '''Network Providers''' * [[Information for 'eyeball' networks]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] = Other Resources = * [[How To's]] - Collection of articles about identification, configuration and prevention. ef4decd36df555cdf702aab75a1fbb03243b291c 99 98 2013-04-08T15:41:49Z Huguei 9 [[File:BCP38_DHCP.png|thumb|right|top|431px|Un ejemplo de implementación de BCP38 en una gran red direccionada por DHCP]] Esto es '''BCP38.info'''. ¿Qué es BCP38? El documento BCP38 corresponde al estándar '''RFC2827: Filtrado de redes en ingreso: derrotando los ataques de denegación de servicio que utilizan direcciones IP de origen falsificadas''' (''Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'', en el inglés original). Es decir, es un documento que explica estos ataques, y recomienda a los operadores de redes las mejores forma de evitarlos. Los ataques de Denegación de Servicio (DoS), y sus primos aún peores de Denegación de Servicio Distribuido (DDoS), siempre son difíciles de manejar, pero si a eso le sumamos que los paquetes que componen el ataque tienen su origen falsificado, no solo hacen más dificil detener el ataque, sino también hace imposible deternimar desde dónde viene. La solución a este problema, descrito en el [http://tools.ietf.org/html/rfc2827.html RFC2827] escrito hace 13 años atrás por Paul Ferguson y Daniel Senie, es bloquear los paquetes IP en el momento de entrar a Internet si es que tienen direcciones IP falsificadas -- es decir, direcciones IP que no fueron asignadas al dispositivo que los está enviando. Existe un pequeño número de casos en los que esos paquetes ''not'' son fraudulentos, pero ese porcentaje es tan bajo que se pueden manejar como excepciones mantenidas a mano, incluso en ambientes donde tales paquetes serían bloqueados en su origen -- el título 'Filtrado en ingreso' mencionado en el RFC. <br> <hr> <hr> <br> Los objetivos de este sitio web son: * explicar en detalle por qué ocurren las falsificaciones de direcciones IP de origen - por qué los paquetes IP pueden llegar a una red con una dirección de origen que no es la esperable * dar algunos ejemplos de por qué esto puede suceder legítimamente, y los debidos a malos actores * mostrar los resultados posibles y cómo el filtrado en el origen puede hacer más simple su mitigación, y * explicar a los operadores de redes detalladamente: ** por qué deberían implementar BCP38 ** cómo implementarlo ** cuánto cuesta -- si es que hay algún costo -- ** qué daño colateral podría causar ** y lo más importante, cómo venderlo a sus jefes. Nuestro objetivo con BCP38.info es dejar en claro que hay un problema, explicar cuál es, y ''entregar consejos prácticos de qué se puede hacer para resolverlo''. <div style="border: solid 1px; border-color: blue; margin: 1em; padding: 1em; background-color: lightblue;"> '''At various places in this wiki, you'll find definitions of things which are sometimes subject to some dispute; if you have a major dispute with how something is presented, please let us work it out on the Talk pages, rather than engage in revert wars on actual articles, might we?''' '''This site will always be a Work In Progress, but now more than somewhat; be gentle with it until this notice disappears (probably sometime this coming week; in particular, my skills are in wiki editory, not configuring routers; I propose to let some people who do know how to do that put in some content, and then organize it a bit and expand it for a general audience where necessary).''' '''So, for the moment, contribute, but don't publicize.</div> = Information by Audience = '''End customers''' * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] '''Network Providers''' * [[Information for 'eyeball' networks]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] = Other Resources = * [[How To's]] - Collection of articles about identification, configuration and prevention. 66e7056535c04dddd4461d01651f3043c6609420 98 97 2013-04-08T15:13:58Z Huguei 9 Primeras pruebas de traducción. [[File:BCP38_DHCP.png|thumb|right|top|431px|Un ejemplo de implementación de BCP38 en una gran red direccionada por DHCP]] Esto es '''BCP38.info'''. ¿Qué es BCP38? El documento [[BCP]]38 corresponde al estándar '''[[RFC]]2827: Filtrado de redes de ingreso: derrotando los ataques de denegación de servicio que utilizan direcciones IP de origen falsificadas''' (''Network Ingress Filtering: Defeating [[Denial of Service Attacks]] which employ [[IP Source Address Spoofing]]'', en el inglés original). Es decir, es un documento que explica estos ataques, y recomienda a los operadores de redes las mejores forma de evitarlos. Los ataques de Denegación de Servicio (DoS), y sus primos aún peores de Denegación de Servicio Distribuido (DDoS), siempre son difíciles de manejar, pero si a eso le sumamos que los paquetes que componen el ataque tienen su origen falsificado, no solo hacen más dificil detener el ataque, sino también hace imposible deternimar desde dónde viene. La solución a este problema, descrito en el [http://tools.ietf.org/html/rfc2827.html RFC2827] escrito hace 13 años atrás por Paul Ferguson y Daniel Senie, es bloquear los paquetes IP en el momento de entrar a Internet si es que tienen direcciones IP falsificadas -- es decir, direcciones IP que no fueron asignadas al dispositivo que los está enviando. There are a small number of situations in which such packets are ''not'' fraudulent, but that percentage is small enough to be handled as manual exceptions, even in an environment where such packets are otherwise blocked at their source -- the 'Ingress Filtering' mentioned in the title of the RFC. <br> <hr> <hr> <br> The purpose of this website is to: * explain in depth why source IP address spoofing happens - why IP packets might arrive at a network with a source address that isn't expected * give some examples of why this might happen legitimately and because of bad actors * show what the results can be and how ingress filtering could have made them easier to mitigate, and * tell network operators in detail ** why they should implement BCP38 ** how to implement it ** how much -- if anything -- it will cost ** what collateral damage it may cause ** and (most importantly) how to sell it to their bosses. Our goal in setting up BCP38.info is to make clear that there's a problem, explain what the problem is, and ''give you practical advice on what you can do to help solve it''. <div style="border: solid 1px; border-color: blue; margin: 1em; padding: 1em; background-color: lightblue;"> '''At various places in this wiki, you'll find definitions of things which are sometimes subject to some dispute; if you have a major dispute with how something is presented, please let us work it out on the Talk pages, rather than engage in revert wars on actual articles, might we?''' '''This site will always be a Work In Progress, but now more than somewhat; be gentle with it until this notice disappears (probably sometime this coming week; in particular, my skills are in wiki editory, not configuring routers; I propose to let some people who do know how to do that put in some content, and then organize it a bit and expand it for a general audience where necessary).''' '''So, for the moment, contribute, but don't publicize.</div> = Information by Audience = '''End customers''' * [[Information for end-users]] * [[Information for small businesses]] * [[Information for medium businesses]] * [[Information for enterprises]] '''Network Providers''' * [[Information for 'eyeball' networks]] * [[Information for transit providers]] * [[Information for backbone providers/network engineers]] = Other Resources = * [[How To's]] - Collection of articles about identification, configuration and prevention. f3cbf3fce78d30d623dc0256b0d7a03abcb00827 97 96 2013-04-08T15:04:32Z Ahebert 2 BCP38.info 0b76a285d1a44c6b71832d9fac532b4b80ca8bb2 96 94 2013-04-08T15:01:17Z BCP38 Moderator 1 BCP38.info Test 17c6886f6893d5ba9323f6150eb29986892baa18 94 2013-04-08T11:53:52Z BCP38 Moderator 1 Created page with "BCP38.info" BCP38.info 0b76a285d1a44c6b71832d9fac532b4b80ca8bb2 0 48 161 2014-10-16T17:33:27Z Baylink 4 Created page with "'''Malware''' is a generic term used to describe virus, trojan horses, worms and other types of programs which are use to attack computers on the Internet, both the machines o..." '''Malware''' is a generic term used to describe virus, trojan horses, worms and other types of programs which are use to attack computers on the Internet, both the machines onto which they are (usually) surreptitiously placed *and* the ones which they in turn attack, either by promulgating themselves further, or in some other way. Not all malware is surreptitious, some comes along with "free" software unexpectedly, either by defaulting a "should I also install" checkbox to yes (we're looking at you, Oracle/Java), or by simply installing the ancillary program you didn't expect. 2d35e7ac3c8c458fe62fd4bd9590443d573007cf 0 50 167 2014-10-16T17:43:22Z Baylink 4 Created page with "'''Martian packets''' in network operations slang, are packets with a source address which is invalid, usually obviously, in that no valid packet could have that source addres..." '''Martian packets''' in network operations slang, are packets with a source address which is invalid, usually obviously, in that no valid packet could have that source address, such as 0.0.0.0. c4f4e71ce507b124f2ece0c45f5c348445612aa3 0 39 124 120 2014-01-17T18:09:04Z Baylink 4 Add reference to BCP84; thanks to Roland Dobbins A host which is said to be '''multihomed''' is one which has more than one network interface each of which has different IP addresses. While such hosts are *supposed* to send all packets out an interface with a source address assigned to that interface, not all always do, and there are some valid reasons why that might happen. Such hosts/sites will require special handling from BCP38 implementing access providers, but their number is generally small enough to make handling such things as manual exceptions a reasonable process. More details on exactly what that special handling is, and how such sites and their providers (who are themselves generally multihomed) might implement it, can be found in [https://tools.ietf.org/html/bcp84 RFC 3704], which is BCP84. 4de3cda8a7a5a581e47a43068477e23a58b24f62 120 2014-01-17T03:45:51Z Baylink 4 Created page with "A host which is said to be '''multihomed''' is one which has more than one network interface each of which has different IP addresses. While such hosts are *supposed* to send..." A host which is said to be '''multihomed''' is one which has more than one network interface each of which has different IP addresses. While such hosts are *supposed* to send all packets out an interface with a source address assigned to that interface, not all always do, and there are some valid reasons why that might happen. Such hosts/sites will require special handling from BCP38 implementing access providers, but their number is generally small enough to make handling such things as manual exceptions a reasonable process. 62af3a2606b007657c4b9cbe2f37a43213a52cee 0 27 91 73 2013-04-05T16:44:08Z Baylink 4 Listed on this page are several projects operated by various colleges and other organizations which provide software you can use to test whether your Internet connection is already protected by BCP38 ingress filtering. While we have no particular reason not to trust any of these organizations, and most of the programs are available in source code so you can inspect them to make sure they themselves do no harm we must include the usual disclaimer: We take no responsibility for these programs; if by using them, you break anything, you get to keep both pieces. === Certification/Verification === There are many projects you can contribute to. * BCP38.info - (coming soon) Our own simple tool, written in perl, to verify if your [[CPE]], [[ISP]] or even [[Tier]] allow spoofed packet to reach its destination. * Spoofer project - http://spoofer.csail.mit.edu Working on creating a world map of where the internet is most susceptible to allowing packets with spoofed IP address to transit. This is a bit older, but still active, and it seems to work pretty well, collectiing quite a bit of data and sending it to project headquarters at MIT. === Identification === * Open Resolver Project - http://openresolverproject.org Providing information on the state of Open DNS Resolvers -- a common target for the sort of attacts BCP38 makes more difficult -- and information on what to do about yours, if you have one. === Protection === And if you like coding and contributing new ideas: * Bindguard - http://bindguard.activezone.de A BIND Log scanner use to reduce the impact of your Open Resolver to Amplification attacks. 9298419eb29c3a4827a336c3f6e4dcc14bebda24 73 72 2013-04-04T17:12:54Z BCP38 Moderator 1 /* Certification/Verification */ === Certification/Verification === There is many project you can contribute to. * BCP38.info - <soon> A simple tool, written in perl, to verify if your [[CPE]], [[ISP]] or even [[Tier]] allow spoofed packet to reach its destination. * Spoofer project - http://spoofer.csail.mit.edu<br> Working on creating a world map of where the internet is most susceptible to allow packets with spoofed IP address to transit. === Identification === * Open Resolver Project - http://openresolverproject.org<br> Providing information on the state of Open Resolver and information on what to do about yours. === Protection === And if you like coding and contributing new ideas:<br> * Bindguard - http://bindguard.activezone.de<br> A BIND Log scanner use to reduce the impact of your Open Resolver to Amplification attacks. (This need heavy editing) d896aab16598a9222889d82891685450d96c0946 72 71 2013-04-04T17:09:58Z BCP38 Moderator 1 /* Certification/Verification */ === Certification/Verification === There is many project you can contribute to. * BCP38.info - <soon> A simple perl script tool to verify if your [[CPE]], [[ISP]] or even [[Tier]] allow spoofed packet to reach its destination. * Spoofer project - http://spoofer.csail.mit.edu<br> Working on creating a world map of where the internet is most susceptible to allow packets with spoofed IP address to transit. === Identification === * Open Resolver Project - http://openresolverproject.org<br> Providing information on the state of Open Resolver and information on what to do about yours. === Protection === And if you like coding and contributing new ideas:<br> * Bindguard - http://bindguard.activezone.de<br> A BIND Log scanner use to reduce the impact of your Open Resolver to Amplification attacks. (This need heavy editing) 13f3639bf23d624c37e8cf16ca0a47b7d9011ca2 71 68 2013-04-04T17:07:05Z BCP38 Moderator 1 /* Certification/Verification/Identification */ === Certification/Verification === There is many project you can contribute to. * BCP38.info - <soon> A simple perl script tool to verify if your [[CPE]], [[ISP]] or even [[Tier]] allow spoofed packet to reach its destination. * Spoofer project - http://spoofer.csail.mit.edu<br> Working on creating a state of how wide IP spoofing is still available. === Identification === * Open Resolver Project - http://openresolverproject.org<br> Providing information on the state of Open Resolver and information on what to do about yours. === Protection === And if you like coding and contributing new ideas:<br> * Bindguard - http://bindguard.activezone.de<br> A BIND Log scanner use to reduce the impact of your Open Resolver to Amplification attacks. (This need heavy editing) 1497a0133cd6c2bcfbd0968547103be1217c6406 68 67 2013-04-04T17:01:15Z BCP38 Moderator 1 /* Protection */ === Certification/Verification/Identification === There is many project you can contribute to. * BCP38.info - <soon> A simple perl script tool to verify if your [[CPE]], [[ISP]] or even [[Tier]] allow spoofed packet to reach its destination. * Spoofer project - http://spoofer.csail.mit.edu<br> Working on creating a state of how wide IP spoofing is still available. === Identification === * Open Resolver Project - http://openresolverproject.org<br> Providing information on the state of Open Resolver and information on what to do about yours. === Protection === And if you like coding and contributing new ideas:<br> * Bindguard - http://bindguard.activezone.de<br> A BIND Log scanner use to reduce the impact of your Open Resolver to Amplification attacks. (This need heavy editing) 74c1e5178b343387cf8d54861dcff254c58f7040 67 66 2013-04-04T17:00:52Z BCP38 Moderator 1 /* Identification */ === Certification/Verification/Identification === There is many project you can contribute to. * BCP38.info - <soon> A simple perl script tool to verify if your [[CPE]], [[ISP]] or even [[Tier]] allow spoofed packet to reach its destination. * Spoofer project - http://spoofer.csail.mit.edu<br> Working on creating a state of how wide IP spoofing is still available. === Identification === * Open Resolver Project - http://openresolverproject.org<br> Providing information on the state of Open Resolver and information on what to do about yours. === Protection === And if you like coding and contributing new ideas: * Bindguard - http://bindguard.activezone.de<br> A BIND Log scanner use to reduce the impact of your Open Resolver to Amplification attacks. (This need heavy editing) ca74a233d441b58e67d28e8dca9117b0b4e10bb8 66 65 2013-04-04T17:00:43Z BCP38 Moderator 1 /* Protection */ === Certification/Verification/Identification === There is many project you can contribute to. * BCP38.info - <soon> A simple perl script tool to verify if your [[CPE]], [[ISP]] or even [[Tier]] allow spoofed packet to reach its destination. * Spoofer project - http://spoofer.csail.mit.edu<br> Working on creating a state of how wide IP spoofing is still available. === Identification === * Open Resolver Project - http://openresolverproject.org<br> Providing information on the state of Open Resolver and information on what to do about yours. === Protection === And if you like coding and contributing new ideas: * Bindguard - http://bindguard.activezone.de<br> A BIND Log scanner use to reduce the impact of your Open Resolver to Amplification attacks. (This need heavy editing) 3eb2a018943d2d4ca364ac85fc91deadd108962e 65 64 2013-04-04T17:00:31Z BCP38 Moderator 1 /* Protection */ === Certification/Verification/Identification === There is many project you can contribute to. * BCP38.info - <soon> A simple perl script tool to verify if your [[CPE]], [[ISP]] or even [[Tier]] allow spoofed packet to reach its destination. * Spoofer project - http://spoofer.csail.mit.edu<br> Working on creating a state of how wide IP spoofing is still available. === Identification === * Open Resolver Project - http://openresolverproject.org<br> Providing information on the state of Open Resolver and information on what to do about yours. === Protection === And if you like coding and contributing new ideas: * Bindguard - http://bindguard.activezone.de<br> A BIND Log scanner use to reduce the impact of your Open Resolver to Amplification attacks. (This need heavy editing) 340e68572d4727f96086782d2c97f28c2ccffe83 64 63 2013-04-04T17:00:21Z BCP38 Moderator 1 /* Certification/Verification/Identification */ === Certification/Verification/Identification === There is many project you can contribute to. * BCP38.info - <soon> A simple perl script tool to verify if your [[CPE]], [[ISP]] or even [[Tier]] allow spoofed packet to reach its destination. * Spoofer project - http://spoofer.csail.mit.edu<br> Working on creating a state of how wide IP spoofing is still available. === Identification === * Open Resolver Project - http://openresolverproject.org<br> Providing information on the state of Open Resolver and information on what to do about yours. === Protection === And if you like coding and contributing new ideas: * Bindguard - http://bindguard.activezone.de<br> A BIND Log scanner use to reduce the impact of your Open Resolver to Amplification attacks. (This need heavy editing) cf6a00f1eb4be343c08b8880e5a32545a0f2da8e 63 62 2013-04-04T17:00:07Z BCP38 Moderator 1 /* Certification/Verification/Identification */ === Certification/Verification/Identification === There is many project you can contribute to. * BCP38.info - <soon> A simple perl script tool to verify if your [[CPE]], [[ISP]] or even [[Tier]] allow spoofed packet to reach its destination. * Spoofer project - http://spoofer.csail.mit.edu<br> Working on creating a state of how wide IP spoofing is still available. === Identification === * Open Resolver Project - http://openresolverproject.org<br> Providing information on the state of Open Resolver and information on what to do about yours. === Protection === And if you like coding and contributing new ideas: * Bindguard - http://bindguard.activezone.de<br> A BIND Log scanner use to reduce the impact of your Open Resolver to Amplification attacks. (This need heavy editing) b8766d93f89be617ea8f08537b3732a544eb16d9 62 2013-04-04T16:59:38Z BCP38 Moderator 1 Created page with "=== Certification/Verification/Identification === There is many project you can contribute to. * BCP38.info - <soon> A simple perl script tool to verify if your [[CPE]], [[..." === Certification/Verification/Identification === There is many project you can contribute to. * BCP38.info - <soon> A simple perl script tool to verify if your [[CPE]], [[ISP]] or even [[Tier]] allow spoofed packet to reach its destination. * Spoofer project - http://spoofer.csail.mit.edu<br> Working on creating a state of how wide IP spoofing is still available. * Open Resolver Project - http://openresolverproject.org<br> Providing information on the state of Open Resolver and information on what to do about yours. === Protection === And if you like coding and contributing new ideas: * Bindguard - http://bindguard.activezone.de<br> A BIND Log scanner use to reduce the impact of your Open Resolver to Amplification attacks. (This need heavy editing) a28e2c9184fade6787f72eb0b0a38c898c1ced2a 0 3 5 2013-03-29T15:48:43Z Baylink 4 Created page with "An '''RFC''' is a "Request For Comments"; RFCs are the standards documents for the Internet. The title was originally a nod to the fact that the standards were all advisory, ..." An '''RFC''' is a "Request For Comments"; RFCs are the standards documents for the Internet. The title was originally a nod to the fact that the standards were all advisory, as unofficial as the Internet itself; while the standards, however advisory, are now effectively required for interoperating with the rest of the net, the name was never changed. 9e7d276d47f58a469b721f0eda4de6c704f9fc8d 0 7 15 13 2013-03-29T17:36:19Z Baylink 4 Seth Breidbart once described The Internet as :'' "the largest equivalence class in the reflexive, transitive, symmetric closure of the relationship 'can be reached by an IP packet from'." '' While most people don't look at it from a mathematic perspective, The Internet is, in practical terms, the collection of [[tier 1]] networks which peer with one another and comprise the [[default-free zone]] (or 'DFZ'), and the waterfall of networks which peer with them or purchase transit to them; in short, if you pitch a packet over the wall with a [[public IP address]] as its destination, and you are connected to The Internet somehow, that packet should get there, and reply packets should get back to you. 8f448214d5f7a9540f5f91068ca583093efcb295 13 2013-03-29T17:33:29Z Baylink 4 Created page with "Seth Breidbart once described The Internet as :'' "the largest equivalence class in the reflexive, transitive, symmetric closure of the relationship 'can be reached by an IP..." Seth Breidbart once described The Internet as :'' "the largest equivalence class in the reflexive, transitive, symmetric closure of the relationship 'can be reached by an IP packet from'." '' While most people don't look at it from a mathematic perspective, The Internet is, in practical terms, the collection of [[tier 1]] networks which peer with one another and comprise [[the default-free zone]] (or 'DFZ'), and the waterfall of networks which peer with them or purchase transit to them; in short, if you pitch a packet over the wall with a [[public IP address]] as its destination, and you are connected to The Internet somehow, that packet should get there, and reply packets should get back to you. 1ac705ca5924e1d0f7137e246fbea34a108c18b4 0 8 17 14 2013-03-29T17:39:04Z Baylink 4 The definition of a 'Tier 1' IP network is the most hotly disputed term in internetworking, largely because all carriers want to be one. If any page on this wiki generates an edit war, this will be the page. :-) In short, a Tier 1 network has 2 main defining characteristics: * It buys no transit, peering with any other networks with which it interconnects, nearly always in a settlement-free manner, and * It participates in the [[default-free zone]]. f056647c3b0e0ccd5004187654b28bb1b889dfb6 14 2013-03-29T17:35:54Z Baylink 4 Created page with "The definition of a 'Tier 1' IP network is the most hotly disputed term in internetworking, largely because all carriers want to be one. If any page on this wiki generates an..." The definition of a 'Tier 1' IP network is the most hotly disputed term in internetworking, largely because all carriers want to be one. If any page on this wiki generates an edit war, this will be the page. :-) In short, though, a Tier 1 network has 2 main defining characteristics: * It buys no transit, peering with any other networks with which it interconnects, nearly always in a settlement-free manner, and * It participates in the [[default-free zone]]. 0e35741f0ff2487249302fc9a50b0c66b7b172da 0 44 149 148 2014-01-25T18:39:15Z Baylink 4 /* A quick introduction to Wikidom */ ==A quick introduction to Wikidom== This site is a [[Wiki Wiki]] (which is Hawaiian for "quick quick") web site. That means it's an engine that makes it easier to enter the contents you want on a page, and easier to create new pages &mdash; even if you don't know what to put on them yet. The admins chose a Wiki because they (Wiki's, not the Admins :-) ) are really handy for collaborative documentation; it's easier for random people to contribute useful information, and random editors to edit it. Since it keeps a history of pages, it's so easy to fix graffiti that it's almost not worth trashing stuff. (Hint.) The only two things that some people have trouble with about Wikis are that the markup syntax (which is not HTML on purpose) can occasionally be somewhat obscure, and that the internal links are created using <nowiki>[[square brackets]]</nowiki>. And, lastly before we tell you how to edit, let us encourage you to ''create an account'' it's a requirement on this wiki because it has a high-profile public audience aim, and we need to avoid spam and grafitti. Send an email to '''moderator [at] bcp38.info''', and include your preferred username, and we'll set you right up. ==Adding pages== You can either add a link to an existing page, and click through it, or put the page name, properly capitalized, in the search box and click Go; either will leave you on a page where you are invited to click a link to create the new page. By "properly capitalized", we mean "please don't capitalize page/article titles unless people will capitalize them when typing them in the middle of a running sentence. Mediawiki will capitalize the first letter of the page title, but that can't be avoided (and does not break using the page title as a link in all lower case while typing). ==Wiki writing syntax== Anyway, the one 'graf explanation of WikiWriting is: :Just write. Empty lines force paragraph breaks, <code><nowiki><br></nowiki></code> forces a mid-line break (and indeed, most HTML works), and you can do all the stuff you'd do in HTML markup, but with slightly different (read: easier) syntax. <nowiki>[[Words or phrases]]</nowiki> in square brackets automatically become intra-Wiki links &mdash; if the page doesn't exist yet, readers will see its link displayed in red instead of blue, and you can either write the new page yourself, by clicking through to it after you save, or you can just leave it as a hint for others to follow. If you ''do'' preview the page, don't forget to ''save it'' before clicking through to create subsidiary pages. Finally, please fill in the 'Summary' with a half-sentence description of what you changed. The summaries are displayed in the [[Special:Recentchanges|Recent Changes]] page listing, and make it a lot easier to figure out what's going on and why. Think of them as CVS comments. It's really pretty much that simple. Once you find something you want to do (like offsite links or inline images) that isn't explained here, you can go check out [[Help:Contents]]. And, finally, remember: anyone can come along and edit what you write... and that's the ''point''. So it's important to keep this frame of mind when you're writing. If you hate editors, writing for a Wiki will probably drive you batty. ==How to work with ''this'' wiki== Keep an eye on the Discussion pages for the pages you work on; use your Watchlist (and set the "automatically add pages I edit to my Watchlist" setting in your preferences; and keep an eye on the Community Portal; as we figure out the best way to do things, that's where we will put the meta-Q&A. In general, when you're starting to think about graduating from small changes to large ones (and creating entire new pages or categories): '''read before you write'''. It's even easier to steal formatting and layout on a wiki than it is in traditional HTML, so look for pages that are well laid out, and copy them, replacing their text with your own. Look at active talk pages for examples of how to thread conversations in MW's admittedly slightly weak Talk: system (it's nice because it keeps conversations near what they talk about, at the expense of making you work a tiny bit harder). Oh, and make sure to sign things you post on talk pages with <nowiki>--~~~~</nowiki>, so everyone can follow the conversations. Finally, keep an eye on [[Special:Recentchanges]] &mdash; it's a good bookmark page if you want to keep an eye on the wiki from either side &mdash; and if you change things, please write a summary to keep Recent Changes '''useful'''. So [[Be Bold]], but be kind... And use links to provide a source of original content. And have '''fun'''; that's most of the point. :-) aa01f92119f8b3e7b1e4ecbdb7e9b896df16d0e0 148 147 2014-01-25T18:38:39Z Baylink 4 /* Adding pages */ ==A quick introduction to Wikidom== This site is a [[Wiki Wiki]] (which is Hawaiian for "quick quick") web site. That means it's an engine that makes it easier to enter the contents you want on a page, and easier to create new pages &mdash; even if you don't know what to put on them yet. The admins chose a Wiki because they (Wiki's, not the Admins :-) ) are really handy for collaborative documentation; it's easier for random people to contribute useful information, and random editors to edit it. Since it keeps a history of pages, it's so easy to fix graffiti that it's almost not worth trashing stuff. (Hint.) The only two things that some people have trouble with about Wikis are that the markup syntax (which is not HTML on purpose) can occasionally be somewhat obscure, and that the internal links are created using <nowiki>[[square brackets]]</nowiki>. And, lastly before we tell you how to edit, let us encourage you to ''create an account'' it's a requirement on this wiki because it has a high-profile public audience aim, and we need to avoid spam and grafitti. Send an email to moderator [at] bcp38.info, and include your preferred username, and we'll set you right up. ==Adding pages== You can either add a link to an existing page, and click through it, or put the page name, properly capitalized, in the search box and click Go; either will leave you on a page where you are invited to click a link to create the new page. By "properly capitalized", we mean "please don't capitalize page/article titles unless people will capitalize them when typing them in the middle of a running sentence. Mediawiki will capitalize the first letter of the page title, but that can't be avoided (and does not break using the page title as a link in all lower case while typing). ==Wiki writing syntax== Anyway, the one 'graf explanation of WikiWriting is: :Just write. Empty lines force paragraph breaks, <code><nowiki><br></nowiki></code> forces a mid-line break (and indeed, most HTML works), and you can do all the stuff you'd do in HTML markup, but with slightly different (read: easier) syntax. <nowiki>[[Words or phrases]]</nowiki> in square brackets automatically become intra-Wiki links &mdash; if the page doesn't exist yet, readers will see its link displayed in red instead of blue, and you can either write the new page yourself, by clicking through to it after you save, or you can just leave it as a hint for others to follow. If you ''do'' preview the page, don't forget to ''save it'' before clicking through to create subsidiary pages. Finally, please fill in the 'Summary' with a half-sentence description of what you changed. The summaries are displayed in the [[Special:Recentchanges|Recent Changes]] page listing, and make it a lot easier to figure out what's going on and why. Think of them as CVS comments. It's really pretty much that simple. Once you find something you want to do (like offsite links or inline images) that isn't explained here, you can go check out [[Help:Contents]]. And, finally, remember: anyone can come along and edit what you write... and that's the ''point''. So it's important to keep this frame of mind when you're writing. If you hate editors, writing for a Wiki will probably drive you batty. ==How to work with ''this'' wiki== Keep an eye on the Discussion pages for the pages you work on; use your Watchlist (and set the "automatically add pages I edit to my Watchlist" setting in your preferences; and keep an eye on the Community Portal; as we figure out the best way to do things, that's where we will put the meta-Q&A. In general, when you're starting to think about graduating from small changes to large ones (and creating entire new pages or categories): '''read before you write'''. It's even easier to steal formatting and layout on a wiki than it is in traditional HTML, so look for pages that are well laid out, and copy them, replacing their text with your own. Look at active talk pages for examples of how to thread conversations in MW's admittedly slightly weak Talk: system (it's nice because it keeps conversations near what they talk about, at the expense of making you work a tiny bit harder). Oh, and make sure to sign things you post on talk pages with <nowiki>--~~~~</nowiki>, so everyone can follow the conversations. Finally, keep an eye on [[Special:Recentchanges]] &mdash; it's a good bookmark page if you want to keep an eye on the wiki from either side &mdash; and if you change things, please write a summary to keep Recent Changes '''useful'''. So [[Be Bold]], but be kind... And use links to provide a source of original content. And have '''fun'''; that's most of the point. :-) a188940b390ef046d55af1125e3d11fdd295dfe6 147 2014-01-25T18:35:59Z Baylink 4 Imported (and modified) from MythTV wiki, where I originally wrote it ==A quick introduction to Wikidom== This site is a [[Wiki Wiki]] (which is Hawaiian for "quick quick") web site. That means it's an engine that makes it easier to enter the contents you want on a page, and easier to create new pages &mdash; even if you don't know what to put on them yet. The admins chose a Wiki because they (Wiki's, not the Admins :-) ) are really handy for collaborative documentation; it's easier for random people to contribute useful information, and random editors to edit it. Since it keeps a history of pages, it's so easy to fix graffiti that it's almost not worth trashing stuff. (Hint.) The only two things that some people have trouble with about Wikis are that the markup syntax (which is not HTML on purpose) can occasionally be somewhat obscure, and that the internal links are created using <nowiki>[[square brackets]]</nowiki>. And, lastly before we tell you how to edit, let us encourage you to ''create an account'' it's a requirement on this wiki because it has a high-profile public audience aim, and we need to avoid spam and grafitti. Send an email to moderator [at] bcp38.info, and include your preferred username, and we'll set you right up. ==Adding pages== Please refer to the [[Help:Contents|Help section]] for information on creating pages, editing existing pages, and how categories are used on this site. ==Wiki writing syntax== Anyway, the one 'graf explanation of WikiWriting is: :Just write. Empty lines force paragraph breaks, <code><nowiki><br></nowiki></code> forces a mid-line break (and indeed, most HTML works), and you can do all the stuff you'd do in HTML markup, but with slightly different (read: easier) syntax. <nowiki>[[Words or phrases]]</nowiki> in square brackets automatically become intra-Wiki links &mdash; if the page doesn't exist yet, readers will see its link displayed in red instead of blue, and you can either write the new page yourself, by clicking through to it after you save, or you can just leave it as a hint for others to follow. If you ''do'' preview the page, don't forget to ''save it'' before clicking through to create subsidiary pages. Finally, please fill in the 'Summary' with a half-sentence description of what you changed. The summaries are displayed in the [[Special:Recentchanges|Recent Changes]] page listing, and make it a lot easier to figure out what's going on and why. Think of them as CVS comments. It's really pretty much that simple. Once you find something you want to do (like offsite links or inline images) that isn't explained here, you can go check out [[Help:Contents]]. And, finally, remember: anyone can come along and edit what you write... and that's the ''point''. So it's important to keep this frame of mind when you're writing. If you hate editors, writing for a Wiki will probably drive you batty. ==How to work with ''this'' wiki== Keep an eye on the Discussion pages for the pages you work on; use your Watchlist (and set the "automatically add pages I edit to my Watchlist" setting in your preferences; and keep an eye on the Community Portal; as we figure out the best way to do things, that's where we will put the meta-Q&A. In general, when you're starting to think about graduating from small changes to large ones (and creating entire new pages or categories): '''read before you write'''. It's even easier to steal formatting and layout on a wiki than it is in traditional HTML, so look for pages that are well laid out, and copy them, replacing their text with your own. Look at active talk pages for examples of how to thread conversations in MW's admittedly slightly weak Talk: system (it's nice because it keeps conversations near what they talk about, at the expense of making you work a tiny bit harder). Oh, and make sure to sign things you post on talk pages with <nowiki>--~~~~</nowiki>, so everyone can follow the conversations. Finally, keep an eye on [[Special:Recentchanges]] &mdash; it's a good bookmark page if you want to keep an eye on the wiki from either side &mdash; and if you change things, please write a summary to keep Recent Changes '''useful'''. So [[Be Bold]], but be kind... And use links to provide a source of original content. And have '''fun'''; that's most of the point. :-) 6d95c21b2239464cd206f7e6380ac35f3ac60bab 1 53 183 181 2015-03-09T15:12:30Z Baylink 4 /* Seems reasonable */ new section == Suggestion: Standardizing Format of Router Config Howto's == I am just getting started here, so let me know what the general community thoughts are on thistopic before I just dive in and start implementing this. To be useful to the widest audience, we will need to keep track of not only model numbers, but software, hardware, and firmware revisions. In the cisco distribution router community this will be especially important, as the variations between software available for any model can be dizzying. I'm going to suggest a headerblock for each router howto page, and a TOC outline that gives opportunities for variations, and known bugs, as well as workarounds for issues where those have been developed. Here goes: <table cellpadding="0" cellspacing="0"> <tr><th align="right">Make</th><td>&nbsp;</td><td align="left">Cisco</td></tr> <tr><th align="right">Model</th><td>&nbsp;</td><td align="left">7200 VXR</td></tr> <tr><th align="right">Firmware</th><td>&nbsp;</td><td align="left"> __________ </td></tr> <tr><th align="right">Software</th><td>&nbsp;</td><td align="left">C7200-JS-M Version 12.3(8.3)</td></tr> </table> === Sample TOC === === Generic Configuration === === Older Release Variations === === Known and Reported Problems and Workarounds === === References === === External Links === --[[User:Fjb|Fjb]] ([[User talk:Fjb|talk]]) 02:56, 18 February 2015 (EST) ---- == Seems reasonable == A good starting place, at least. Question is: do we put all the various revision on a single page per chassis? I'm inclined to say yes. It's either that, or one-per, and use Categories. Not immediately obvious which would work better.<br>--[[User:Baylink|Baylink]] ([[User talk:Baylink|talk]]) 11:12, 9 March 2015 (EDT) 63b9b0800ef95107292058ac0f1cc090d2ee532e 181 2015-02-18T07:56:22Z Fjb 41 Suggested format for router howto pages - Discussion == Suggestion: Standardizing Format of Router Config Howto's == I am just getting started here, so let me know what the general community thoughts are on thistopic before I just dive in and start implementing this. To be useful to the widest audience, we will need to keep track of not only model numbers, but software, hardware, and firmware revisions. In the cisco distribution router community this will be especially important, as the variations between software available for any model can be dizzying. I'm going to suggest a headerblock for each router howto page, and a TOC outline that gives opportunities for variations, and known bugs, as well as workarounds for issues where those have been developed. Here goes: <table cellpadding="0" cellspacing="0"> <tr><th align="right">Make</th><td>&nbsp;</td><td align="left">Cisco</td></tr> <tr><th align="right">Model</th><td>&nbsp;</td><td align="left">7200 VXR</td></tr> <tr><th align="right">Firmware</th><td>&nbsp;</td><td align="left"> __________ </td></tr> <tr><th align="right">Software</th><td>&nbsp;</td><td align="left">C7200-JS-M Version 12.3(8.3)</td></tr> </table> === Sample TOC === === Generic Configuration === === Older Release Variations === === Known and Reported Problems and Workarounds === === References === === External Links === --[[User:Fjb|Fjb]] ([[User talk:Fjb|talk]]) 02:56, 18 February 2015 (EST) ---- c0f92bb861b0e33e8858d71ca83029f478db679f 1 54 182 2015-02-18T08:23:41Z Fjb 41 discussion about sample ingress/egress packet filters == Suggested Page: Sample ingress vs. egress packet filters == # Internal LAN 172.17.94.0/23 (pretend this is globally routable for example purposes) 3625f66e653ba644564c46e982455f3214caa302 2 17 187 42 2016-09-25T15:07:02Z Baylink 4 [[File:jra-picon.jpg|thumb|right|top|211px]] '''Jay R. Ashworth''' is a 30-year systems and network administrator, with experience in Xenix, Unix, Linux and Windows; he has filled roles ranging from independent consultant to help desk, from programmer to systems architect, and from technical reviewer to author. He has been a Wikipedian since 2004, contributed to the MythTV wiki relaunch from Moin to Mediawiki (and contributed much of the home page and the framing and introductions for the User Manual); he rewrote much of the RT 3.8 wiki documentation, and is working on rehosting the Spenser site Bullets-n-Beer at Wikia. He created bestpractices.wikia.com, and everyone ignored it, so maybe he's a better editor than promoter. :-) His desktop, laptop, and cellphone all run Linux (well, ok, Android, but at least it's Cyanogen 7), though he does keep one Windows 7 laptop around, Just Because. He's the lead editor here at bcp38.info, for the moment, until someone kicks him off the top of the pile, but he's much better at editing than configuring routers, so he hopes lots of smart people will fill in some of the holes, once he frames them. He [http://baylink.pitas.com blogs], but Pitas is going through its once-a-decade "it broke, and I have lots better things to do than maintain a historical website" throes, and it's not quite back in battery yet; Jay hopes Andrew will get off his ass and fix it... or he demands a refund! :-) [ He's been a little remiss in prosecuting this particular part of the Internet War, and resolves to do better. :-} --j ] f911d928d364b3d04b13533fa4885921216df2d4 42 40 2013-03-31T14:38:59Z Baylink 4 Vanity, thy name is... well, me. :-) [[File:jra-picon.jpg|thumb|right|top|211px]] '''Jay R. Ashworth''' is a 30-year systems and network administrator, with experience in Xenix, Unix, Linux and Windows; he has filled roles ranging from independent consultant to help desk, from programmer to systems architect, and from technical reviewer to author. He has been a Wikipedian since 2004, contributed to the MythTV wiki relaunch from Moin to Mediawiki (and contributed much of the home page and the framing and introductions for the User Manual); he rewrote much of the RT 3.8 wiki documentation, and is working on rehosting the Spenser site Bullets-n-Beer at Wikia. He created bestpractices.wikia.com, and everyone ignored it, so maybe he's a better editor than promoter. :-) His desktop, laptop, and cellphone all run Linux (well, ok, Android, but at least it's Cyanogen 7), though he does keep one Windows 7 laptop around, Just Because. He's the lead editor here at bcp38.info, for the moment, until someone kicks him off the top of the pile, but he's much better at editing than configuring routers, so he hopes lots of smart people will fill in some of the holes, once he frames them. He [http://baylink.pitas.com blogs], but Pitas is going through its once-a-decade "it broke, and I have lots better things to do than maintain a historical website" throes, and it's not quite back in battery yet; Jay hopes Andrew will get off his ass and fix it... or he demands a refund! :-) 826037ad571d16568acadcf50ca02f7c73e4c5ac 40 2013-03-31T14:35:44Z Baylink 4 User page - everyone, please create one. :-) '''Jay R. Ashworth''' is a 30-year systems and network administrator, with experience in Xenix, Unix, Linux and Windows; he has filled roles ranging from independent consultant to help desk, from programmer to systems architect, and from technical reviewer to author. He has been a Wikipedian since 2004, contributed to the MythTV wiki relaunch from Moin to Mediawiki (and contributed much of the home page and the framing and introductions for the User Manual); he rewrote much of the RT 3.8 wiki documentation, and is working on rehosting the Spenser site Bullets-n-Beer at Wikia. He created bestpractices.wikia.com, and everyone ignored it, so maybe he's a better editor than promoter. :-) His desktop, laptop, and cellphone all run Linux (well, ok, Android, but at least it's Cyanogen 7), though he does keep one Windows 7 laptop around, Just Because. He's the lead editor here at bcp38.info, for the moment, until someone kicks him off the top of the pile, but he's much better at editing than configuring routers, so he hopes lots of smart people will fill in some of the holes, once he frames them. He [blogs http://baylink.pitas.com], but Pitas is going through its once-a-decade "it broke, and I have lots better things to do than maintain a historical website" throes, and it's not quite back in battery yet; Jay hopes Andrew will get off his ass and fix it... or he demands a refund! :-) b2284cba305ee325f680a5e44f7b0e94a26aafbb 2 52 179 178 2015-02-18T07:05:44Z Fjb 41 '''[[User:Fjb]]''' Purpose: Here to work on sample router configs, user hints, recommendations, and just general helpful hacquing wherever I can. Availability: nights and weekends and as free time is available. Email me for requests, thoughts, ideas or suggestions for BCP38. 10f66dbd42a6b9b9c1cdf149f43c1bbf0f34cfdd 178 2015-02-18T07:04:37Z Fjb 41 Created page with "'''[User:Fjb]''' Purpose: Here to work on sample router configs, user hints, recommendations, and just general helpful hacquing wherever I can. Availability: nights and wee..." '''[User:Fjb]''' Purpose: Here to work on sample router configs, user hints, recommendations, and just general helpful hacquing wherever I can. Availability: nights and weekends and as free time is available. Email me for requests, thoughts, ideas or suggestions for BCP38. 8b3dfe636855437836c6e8b3cb9dac56786c4554 2 41 145 144 2014-01-25T06:59:17Z Odoug2045 29 [[File:IMG_20131012_Kovalev89.jpg|thumb|right|top|211px]] '''Douglas S. Oliveira''' is a 24 years old boy with a decade of records on, broken things, lots of lost in personal data and money applied on wrong directions. He's currently pursuing his CCNA certification and a decent job, meanwhile trying to figure out a way to escape from native monkeys who wants to stole her hopes. "I've met Mr. Jay R. Ashworth on NANOG forum, but before had read something about BCP 38 and sounds very interesting and important to be known by everyone who cares.", say. "So here am I. Not so many cool things to say, just to translate and help where is needed. You can count on me, my skills can be few on the paper, but I guarantee, my coffee is beyond average (:.", ends. If you're interested in exchange ideas, Douglas utterly recommends you to make a 4th level contact with him. Twitter: @Dskk89 b3555e3e04817df5f0902b1165e80f7029173a2c 144 143 2014-01-25T06:46:34Z Odoug2045 29 [[File:IMG_20131012_Kovalev89.jpg|thumb|right|top|211px]] '''Douglas S. Oliveira''' is a 24 years old boy with a decade of records on, broken things, lots of lost in personal data and money applied on wrong directions. He's currently pursuing his CCNA certification and a decent job, meanwhile trying to figure out a way to escape from native monkeys who wants to stole her hopes. "I've met Mr. Jay R. Ashworth on NANOG forum, but before had read something about BCP 38 and sounds very interesting and important to be known by everyone who cares.", say. "So here am I. Not so many cool things to say, just to translate and help where is needed. You can count on me, my skills can be few on the paper, but I guarantee, my coffee is beyond average (:.", ends. If you're interested in exchange ideas, Douglas utterly recommends you to make a 4th level contact with him. 9c49fd1b08539ab6d81f210953874d4fdd14b96e 143 142 2014-01-25T06:45:02Z Odoug2045 29 [[File:IMG_20131012_Kovalev89.jpg|thumb|right|top|211px]] '''Douglas S. Oliveira''' is a 24 years old boy with a decade of records on, broken things, lots of lost in personal data and money applied on wrong directions. He's currently pursuing his CCNA certification and a decent job, meanwhile trying to figure out a way to escape from native monkeys who wants to stole her hopes. "I've met Mr. Jay R. Ashworth on NANOG forum, but before had read something about BCP 38 and sounds very interesting and important to be known by everyone who cares.", say. "So here am I. Not so many cool things to say, just to translate and help where is needed. You can count on me, my skills can be few on the paper, but I guarantee, my coffee is beyond average (:.", ends. If you're interested in exchange ideas, Douglas utterly recommends you to make a 4th level [[Contact|https://twitter.com/Dskk89]] with him. 4de8a3be2bd99aec1b397a8d5d0a5bed3e9a3f41 142 141 2014-01-25T06:42:54Z Odoug2045 29 [[File:IMG_20131012_Kovalev89.jpg|thumb|right|top|211px]] '''Douglas S. Oliveira''' is a 24 years old boy with a decade of records on, broken things, lots of lost in personal data and money applied on wrong directions. He's currently pursuing his CCNA certification and a decent job, meanwhile trying to figure out a way to escape from native monkeys who wants to stole her hopes. "I've met Mr. Jay R. Ashworth on NANOG forum, but before had read something about BCP 38 and sounds very interesting and important to be known by everyone who cares.", say. "So here am I. Not so many cool things to say, just to translate and help where is needed. You can count on me, my skills can be few on the paper, but I guarantee, my coffee is beyond average (:.", ends. If you're interested in exchange ideas, Douglas utterly recommends you to make a 4th level [[contact|http://pt.gravatar.com/odoug2045]] with him. 608de2f1b3b98191c2110433f42ec4d5e09335c4 141 140 2014-01-25T06:01:07Z Odoug2045 29 [[File:IMG_20131012_Kovalev89.jpg|thumb|right|top|211px]] '''Douglas S. Oliveira''' is a 24 years old boy with a decade of records on, broken things, lots of lost in personal data and money applied on wrong directions. He's currently pursuing his CCNA certification and a decent job, meanwhile trying to figure out a way to escape from native monkeys who wants to stole her hopes. "I've met Mr. Jay R. Ashworth on NANOG forum, but before had read something about BCP 38 and sounds very interesting and important to be known by everyone who cares.", say. "So here am I. Not so many cool things to say, just to translate and help where is needed. You can count on me, my skills can be few on the paper, but I guarantee, my coffee is beyond average (:.", ends. If you're interested in exchange ideas, Douglas utterly recommends you to make a 4th level contact[[contact|http://pt.gravatar.com/odoug2045]] with him. d185f406b708dcc7f3bec152e89253b6365add21 140 139 2014-01-25T05:57:32Z Odoug2045 29 [[File:IMG_20131012_Kovalev89.jpg|thumb|right|top|211px]] '''Douglas S. Oliveira''' is a 24 years old boy with a decade of records on, broken things, lots of lost in personal data and money applied on wrong directions. He's currently pursuing his CCNA certification and a decent job, meanwhile trying to figure out a way to escape from native monkeys who wants to stole her hopes. I've met Mr. Jay R. Ashworth on NANOG forum, but before had read something about BCP 38 and sounds very interesting and important to be known by everyone who cares. So here am I. Not so many cool things to say, just to translate and help where is needed. You can count on me, my skills can be few on the paper, but I guarantee, my coffee is beyond average. (: [READ MORE http://pt.gravatar.com/odoug2045] 9ea1eaffa74fa4bb40abf9bc6c12b04aa85c2108 139 138 2014-01-25T05:18:39Z Odoug2045 29 [[File:IMG_20131012_Kovalev89.jpg|thumb|right|top|211px]] '''Douglas S. Oliveira''' is a 24 years old boy with a decade of records on, broken things, lots of lost in personal data and money applied on wrong directions. He's currently pursuing her CCNA certification and a decent job, meanwhile trying to figure out a way to escape from native monkeys who wants to stole her hopes. I've met Mr. Jay R. Ashworth on NANOG forum, but before had read something about BCP 38 and sounds very interesting and important to be known by everyone who cares. So here am I. Not so many cool things to say, just to translate and help where is needed. You can count on me, my skills can be few on the paper, but I guarantee, my coffee is beyond average. (: [READ MORE http://pt.gravatar.com/odoug2045] 59f36ff9f6bf1c951214a043fd53cee61429c2ac 138 137 2014-01-25T05:12:50Z Odoug2045 29 [[File:IMG_20131012_Kovalev89.jpg|thumb|right|top|211px]] '''Douglas S. Oliveira''' is a 24 years old boy with a decade of records on, broken things, lost of personal data and money applying on wrong directions. He's currently pursuing her CCNA certification and a decent job, meanwhile trying to figure out a way to escape from native monkeys who wants to stole her hopes. I've met Mr. Jay R. Ashworth on NANOG forum, but before had read something about BCP 38 and sounds very interesting and important to be known by everyone who cares. So here am I. Not so many cool things to say, just to translate and help where is needed. You can count on me, my skills can be few on the paper, but I guarantee, my coffee is beyond average. (: [READ MORE http://pt.gravatar.com/odoug2045] d2c896ce71791f38b2bf9dda8bebd90cc7261ac6 137 135 2014-01-25T05:11:18Z Odoug2045 29 [[File:IMG_20131012_Kovalev89.jpg]] '''Douglas S. Oliveira''' is a 24 years old boy with a decade of records on, broken things, lost of personal data and money applying on wrong directions. He's currently pursuing her CCNA certification and a decent job, meanwhile trying to figure out a way to escape from native monkeys who wants to stole her hopes. I've met Mr. Jay R. Ashworth on NANOG forum, but before had read something about BCP 38 and sounds very interesting and important to be known by everyone who cares. So here am I. Not so many cool things to say, just to translate and help where is needed. You can count on me, my skills can be few on the paper, but I guarantee, my coffee is beyond average. (: [READ MORE http://pt.gravatar.com/odoug2045] 8458207954ec34afab3a73da307acc94dc93aac1 135 134 2014-01-25T05:08:00Z Odoug2045 29 [[File:IMG_20131012_Kovalev89.jpg]] '''Douglas S. Oliveira''' is a 24 years old boy with a decade of records on, broken things, lost of personal data and money applying on wrong directions. He's currently pursuing her CCNA certification and a decent job, meanwhile trying to figure out a way to escape from native monkeys who wants to stole her hopes. I've met Mr. Jay R. Ashworth on NANOG forum, but before had read something about BCP 38 and sounds very interesting and important to be known by everyone who cares. So here am I. Not so many cool things to say, just to translate and help where is needed. You can count on me, my skills can be few on the paper, but I guarantee, my coffee is beyond average. (: [READ MORE http://pt.gravatar.com/odoug2045] fe1870df4fb8f6e4823954ad4df817b28b7ba5a7 134 133 2014-01-25T05:06:33Z Odoug2045 29 '''Douglas S. Oliveira''' is a 24 years old boy with a decade of records on, broken things, lost of personal data and money applying on wrong directions. He's currently pursuing her CCNA certification and a decent job, meanwhile trying to figure out a way to escape from native monkeys who wants to stole her hopes. I've met Mr. Jay R. Ashworth on NANOG forum, but before had read something about BCP 38 and sounds very interesting and important to be known by everyone who cares. So here am I. Not so many cool things to say, just to translate and help where is needed. You can count on me, my skills can be few on the paper, but I guarantee, my coffee is beyond average. (: [READ MORE http://pt.gravatar.com/odoug2045] [[File:IMG_20131012_Kovalev89.jpg]] 9ba6c24d88c40475f1bb17d35438e341715f25f3 133 132 2014-01-25T05:05:19Z Odoug2045 29 '''Douglas S. Oliveira''' is a 24 years old boy with a decade of records on, broken things, lost of personal data and money applying on wrong directions. He's currently pursuing her CCNA certification and a decent job, meanwhile trying to figure out a way to escape from native monkeys who wants to stole her hopes. I've met Mr. Jay R. Ashworth on NANOG forum, but before had read something about BCP 38 and sounds very interesting and important to be known by everyone who cares. So here am I. Not so many cool things Yto say, just to translate and help where is needed. You can count on me, my skills can be few on the paper, but I guarantee, my coffee is beyond average. (: [READ MORE http://pt.gravatar.com/odoug2045] [[File:IMG_20131012_Kovalev89.jpg]] 5531c768a2b8fca1e23012ea06a38f5d56c47fc4 132 130 2014-01-25T05:04:50Z Odoug2045 29 '''Douglas S. Oliveira''' is a 24 years old boy with a decade of records on, broken things, [[File:IMG_20131012_Kovalev89.jpg]] lost of personal data and money applying on wrong directions. He's currently pursuing her CCNA certification and a decent job, meanwhile trying to figure out a way to escape from native monkeys who wants to stole her hopes. I've met Mr. Jay R. Ashworth on NANOG forum, but before had read something about BCP 38 and sounds very interesting and important to be known by everyone who cares. So here am I. Not so many cool things Yto say, just to translate and help where is needed. You can count on me, my skills can be few on the paper, but I guarantee, my coffee is beyond average. (: [READ MORE http://pt.gravatar.com/odoug2045] 11c23d3d9a349bb758350b1e61ca5bdc412dfbc8 130 129 2014-01-25T04:55:29Z Odoug2045 29 '''Douglas S. Oliveira''' is a 24 years old boy with a decade of records on, broken things, lost of personal data and money applying on wrong directions. He's currently pursuing her CCNA certification and a decent job, meanwhile trying to figure out a way to escape from native monkeys who wants to stole her hopes. I've met Mr. Jay R. Ashworth on NANOG forum, but before had read something about BCP 38 and sounds very interesting and important to be known by everyone who cares. So here am I. Not so many cool things Yto say, just to translate and help where is needed. You can count on me, my skills can be few on the paper, but I guarantee, my coffee is beyond average. (: [[File:Example.jpg]] [READ MORE http://pt.gravatar.com/odoug2045] ac5e919bcc131a8202ded925e585c5d719d570e8 129 128 2014-01-25T04:53:38Z Odoug2045 29 '''Douglas S. Oliveira''' is a 24 years old boy with a decade of records on, broken things, lost of personal data and money applying on wrong directions. He's currently pursuing her CCNA certification and a decent job, meanwhile trying to figure out a way to escape from native monkeys who wants to stole her hopes. I've met Mr. Jay R. Ashworth on NANOG forum, but before had read something about BCP 38 and sounds very interesting and important to be known by everyone who cares. So here am I. Not so many cool things Yto say, just to translate and help where is needed. You can count on me, my skills can be few on the paper, but I guarantee, my coffee is beyond average. (: [READ MORE http://pt.gravatar.com/odoug2045] a7b949a534aa843e04498d9a545f797caa19cd5b 128 127 2014-01-25T04:51:48Z Odoug2045 29 '''Douglas S. Oliveira''' is a 24 years old boy with a decade of records on, broken things, lost of personal data and money applying on wrong directions. He's currently pursuing her CCNA certification and a decent job, meanwhile trying to figure out a way to escape from native monkeys who wants to stole her hopes. I've met Mr. Jay R. Ashworth on NANOG forum, but before had read something about BCP 38 and sounds very interesting and important to be known by everyone who cares. So here am I. Not so many cool things Yto say, just to translate and help where is needed. You can count on me, my skills can be few on the paper, but I guarantee, my coffee is beyond average. (: [http://www.gravatar.com/avatar/29765b4eab2a1c2caeda19a511df2007.png] 83042a910eb8801d0dbf30ff545faad7fa0ae8d5 127 2014-01-25T04:49:14Z Odoug2045 29 Created page with "'''Douglas S. Oliveira''' is a 24 years old boy with a decade of records on, broken things, lost of personal data and money applying on wrong directions. He's currently pursui..." '''Douglas S. Oliveira''' is a 24 years old boy with a decade of records on, broken things, lost of personal data and money applying on wrong directions. He's currently pursuing her CCNA certification and a decent job, meanwhile trying to figure out a way to escape from native monkeys who wants to stole her hopes. I've met Mr. Jay R. Ashworth on NANOG forum, but before had read something about BCP 38 and sounds very interesting and important to be known by everyone who cares. So here am I. Not so many cool things Yto say, just to translate and help where is needed. You can count on me, my skills can be few on the paper, but I guarantee, my coffee is beyond average. (:[[File:http://www.gravatar.com/avatar/29765b4eab2a1c2caeda19a511df2007.png]] d060320b6ab39ea5db3c3eafa32c1678599bddaf 4 47 155 2014-02-18T19:23:45Z Baylink 4 First cut This is the BCP38.info wiki; a website set up to explain ingress filtering to a variety of audiences, in the hope of encouraging as many providers as possible to implement it, in the hope of reducing DDoS attacks by forcing all attack packets to contain valid source IP addresses. It is operated by Alain Hebert, and managed by Jay R. Ashworth, with contributions from BCP author Paul 'Fergdawg' Ferguson and many others... hopefully including you! If you have knowledge to impart about how to implement BCP38 at any layer of the Internet cake, please sign up for an account here and contribute it. Don't worry if wiki's are not your thing; we have trained editing monkeys who wlil be more than pleased to pat it into shape, as long as we keep the bananas coming. BCP38: Ask For It By Name! 35a7340578dc85cc20b392f4baf6a1b9e4024c72 6 45 150 2014-01-25T19:24:47Z Odoug2045 29 It's our promotional BCP38 Best Practices... Spread the word (logo), and preserve your legacy! It's our promotional BCP38 Best Practices... Spread the word (logo), and preserve your legacy! 578bbd24846191e3dd45088ba565e780c2169c11 6 43 146 2014-01-25T07:17:02Z Odoug2045 29 Uma ilustração de como BCP38 pode ser implementado em uma rede maior. Cortesia Barry Greene; direitos concedidos por e-mail, 29 março de 2013. Uma ilustração de como BCP38 pode ser implementado em uma rede maior. Cortesia Barry Greene; direitos concedidos por e-mail, 29 março de 2013. 20d060761af49c56cd1b76b0219a2b243c05085a 6 11 23 22 2013-03-30T18:21:11Z Baylink 4 Baylink uploaded a new version of &quot;[[File:BCP38 DHCP.png]]&quot;: Reuploading now that thumbnailing machinery is corrected. An illustration of how BCP38 can be deployed in a larger network. Courtesy Barry Greene; rights granted by email, 29 Mar 2013. 885a70bea0416e2910f172dc0fe3aed9d9ec4459 22 2013-03-30T15:54:54Z Baylink 4 An illustration of how BCP38 can be deployed in a larger network. Courtesy Barry Greene; rights granted by email, 29 Mar 2013. An illustration of how BCP38 can be deployed in a larger network. Courtesy Barry Greene; rights granted by email, 29 Mar 2013. 885a70bea0416e2910f172dc0fe3aed9d9ec4459 6 25 56 2013-04-01T01:50:06Z BCP38 Moderator 1 www.BCP38.info logo Courtesy of Job Snijders; rights grant by email 2013/03/29. www.BCP38.info logo Courtesy of Job Snijders; rights grant by email 2013/03/29. 6b38b4984f8fb99921de43997592d7974c8bf03a 6 42 136 131 2014-01-25T05:10:54Z Odoug2045 29 Odoug2045 uploaded a new version of &quot;[[File:IMG 20131012 Kovalev89.jpg]]&quot; A view from a event horizon. (I'm kidding, just the sun rays, burning my eyes after a party night.) d463ea968220ff50b3f5079e20a4d74e92180b37 131 2014-01-25T05:03:08Z Odoug2045 29 A view from a event horizon. (I'm kidding, just the sun rays, burning my eyes after a party night.) A view from a event horizon. (I'm kidding, just the sun rays, burning my eyes after a party night.) d463ea968220ff50b3f5079e20a4d74e92180b37 6 18 41 2013-03-31T14:37:05Z Baylink 4 da39a3ee5e6b4b0d3255bfef95601890afd80709 6 55 194 2016-11-21T16:12:56Z David Corlette 46 da39a3ee5e6b4b0d3255bfef95601890afd80709 10 35 103 2013-04-08T17:47:14Z BCP38 Moderator 1 Created page with "{{nmbox | header = '''[[Project:Language policy|{{Languages/Title|{{SUBPAGENAME}}}}]]''' | text = '''[[{{{1|:{{NAMESPACE}}:{{BASEPAGENAME}}}}}|English]]''' {{Languages/Lang..." {{nmbox | header = '''[[Project:Language policy|{{Languages/Title|{{SUBPAGENAME}}}}]]''' | text = '''[[{{{1|:{{NAMESPACE}}:{{BASEPAGENAME}}}}}|English]]''' {{Languages/Lang|af|{{{1|}}}| }}{{Languages/Lang|ar|{{{1|}}}| }}{{Languages/Lang|ast|{{{1|}}}| }}{{Languages/Lang|az|{{{1|}}}| }}{{Languages/Lang|bcc|{{{1|}}}| }}{{Languages/Lang|bg|{{{1|}}}| }}{{Languages/Lang|br|{{{1|}}}| }}{{Languages/Lang|bn|{{{1|}}}| }}{{Languages/Lang|bs|{{{1|}}}| }}{{Languages/Lang|ca|{{{1|}}}| }}{{Languages/Lang|cs|{{{1|}}}| }}{{Languages/Lang|da|{{{1|}}}| }}{{Languages/Lang|de|{{{1|}}}| }}{{Languages/Lang|diq|{{{1|}}}| }}{{Languages/Lang|el|{{{1|}}}| }}{{Languages/Lang|eo|{{{1|}}}| }}{{Languages/Lang|es|{{{1|}}}| }}{{Languages/Lang|fa|{{{1|}}}| }}{{Languages/Lang|fi|{{{1|}}}| }}{{Languages/Lang|fr|{{{1|}}}| }}{{Languages/Lang|gl|{{{1|}}}| }}{{Languages/Lang|gu|{{{1|}}}| }}{{Languages/Lang|he|{{{1|}}}| }}{{Languages/Lang|hu|{{{1|}}}| }}{{Languages/Lang|hy|{{{1|}}}| }}{{Languages/Lang|id|{{{1|}}}| }}{{Languages/Lang|io|{{{1|}}}| }}{{Languages/Lang|it|{{{1|}}}| }}{{Languages/Lang|ja|{{{1|}}}| }}{{Languages/Lang|ka|{{{1|}}}| }}{{Languages/Lang|kk|{{{1|}}}| }}{{Languages/Lang|km|{{{1|}}}| }}{{Languages/Lang|ko|{{{1|}}}| }}{{Languages/Lang|ksh|{{{1|}}}| }}{{Languages/Lang|kw|{{{1|}}}| }}{{Languages/Lang|la|{{{1|}}}| }}{{Languages/Lang|mk|{{{1|}}}| }}{{Languages/Lang|ml|{{{1|}}}| }}{{Languages/Lang|mr|{{{1|}}}| }}{{Languages/Lang|ms|{{{1|}}}| }}{{Languages/Lang|nl|{{{1|}}}| }}{{Languages/Lang|no|{{{1|}}}| }}{{Languages/Lang|oc|{{{1|}}}| }}{{Languages/Lang|or|{{{1|}}}| }}{{Languages/Lang|pl|{{{1|}}}| }}{{Languages/Lang|pt|{{{1|}}}| }}{{Languages/Lang|pt-br|{{{1|}}}| }}{{Languages/Lang|ro|{{{1|}}}| }}{{Languages/Lang|ru|{{{1|}}}| }}{{Languages/Lang|si|{{{1|}}}| }}{{Languages/Lang|sk|{{{1|}}}| }}{{Languages/Lang|sl|{{{1|}}}| }}{{Languages/Lang|sq|{{{1|}}}| }}{{Languages/Lang|sr|{{{1|}}}| }}{{Languages/Lang|sv|{{{1|}}}| }}{{Languages/Lang|ta|{{{1|}}}| }}{{Languages/Lang|th|{{{1|}}}| }}{{Languages/Lang|tr|{{{1|}}}| }}{{Languages/Lang|uk|{{{1|}}}| }}{{Languages/Lang|vi|{{{1|}}}| }}{{Languages/Lang|yi|{{{1|}}}| }}{{Languages/Lang|yue|{{{1|}}}| }}{{Languages/Lang|zh|{{{1|}}}| }}{{Languages/Lang|zh-hans|{{{1|}}}| }}{{Languages/Lang|zh-hant|{{{1|}}}| }}{{Languages/Lang|zh-tw|{{{1|}}}}}| }}<noinclude> {{documentation}} </noinclude> 85d9de9dc7ffe45ebe9e31ca96eefbb807f5aefd 10 33 101 2013-04-08T17:46:11Z BCP38 Moderator 1 Created page with "<includeonly>{{#ifexist: {{#if: {{{2|}}} | {{{2}}} | {{#if: {{NAMESPACE}} | {{NAMESPACE}}:}}{{BASEPAGENAME}}}}/{{{1}}} | &nbsp;&bull;&#32;<span lang="{{{1}}}">{{#if: {{{2|}}}|..." <includeonly>{{#ifexist: {{#if: {{{2|}}} | {{{2}}} | {{#if: {{NAMESPACE}} | {{NAMESPACE}}:}}{{BASEPAGENAME}}}}/{{{1}}} | &nbsp;&bull;&#32;<span lang="{{{1}}}">{{#if: {{{2|}}}|[[{{{2}}}/{{{1}}}|{{#language:{{{1}}}}}]]| [[:{{NAMESPACE}}:{{BASEPAGENAME}}/{{{1}}}|{{#language:{{{1}}}}}]]}}</span>|<span></span>}}</includeonly><noinclude> == Template == ''This sub-template doesn't display properly when not included. Please see [[Template:Languages]] for the complete version.'' == Usage == This template is designed to simplify [[Template:Languages]], by allowing a simpler syntax for adding new languages. Each language is included by calling this template with the following parameters: * '''Language code''' (e.g. fr) * (optional) '''Page name''' - if not supplied the page is automatically worked out based on where the language template is included. This template should not be used anywhere except in the Languages template. [[Category:Language templates]] </noinclude> 2aafa1bec116965741eebb462cda73f2a998d419 10 34 102 2013-04-08T17:46:34Z BCP38 Moderator 1 Created page with "<onlyinclude>{{#switch:{{{1}}} |=Languages: |Languages=Languages: |MediaWiki=Languages: |af=Taal: |aln=Gjuha: |am=ቋምቋ፦ |an=Idioma: |ang=Sprǣc: |ar=:اللغة |arc=ܠ..." <onlyinclude>{{#switch:{{{1}}} |=Languages: |Languages=Languages: |MediaWiki=Languages: |af=Taal: |aln=Gjuha: |am=ቋምቋ፦ |an=Idioma: |ang=Sprǣc: |ar=:اللغة |arc=ܠܫܢܐ: |arn=Dungun: |arz=:اللغة |as=ভাষা: |ast=Llingua: |avk=Ava: |ay=Aru: |az=Dil: |bat-smg=Kalba: |bcc=:زبان |bcl=Tataramon: |be=Мова: |be-tarask=Мова: |bg=Език: |bn=ভাষা: |br=Yezh : |bs=Jezik: |ca=Llengua: |cdo=Ngṳ̄-ngiòng: |ce=Мотт: |ceb=Pinulongan: |ch=Lengguahe: |ckb-arab=:زمان |co=Lingua: |crh-cyrl=Тиль: |crh-latn=Til: |cs=Jazyk: |cu=ѩꙁꙑ́къ : |cv=Чĕлхе: |cy=Iaith: |da=Sprog: |de=Sprache: |diq=Zıwan: |dsb=Rěc: |ee=Gbe: |el=Γλώσσα: |en=Language: |eo=Lingvo: |es=Idioma: |et=Keel: |eu=Hizkuntza: |ext=Palra: |fa=:زبان |fi=Kieli: |fo=Mál: |fr=Langue : |frc=Langue : |frp=Lengoua : |fur=Lenghe : |fy=Taal: |ga=Teanga: |gag=Dil: |gan-hans=语言: |gan-hant=語言: |gl=Lingua: |gn=Ñe'ẽ: |got=Razda: |grc=Γλῶσσα: |gsw=Sproch: |gu=ભાષા: |gv=Çhengey: |hak=Ngî-ngièn: |haw=Kou 'ōlelo: |he=שפה: |hi=भाषा: |hif-latn=Bhasa: |hr=Jezik: |hsb=Rěč: |ht=Lang: |hu=Nyelv: |hy=Լեզու. |ia=Lingua: |id=Bahasa: |ie=Lingue: |ilo=Lengguahe: |io=Linguo: |is=Tungumál: |it=Lingua: |ja=言語: |jv=Basa: |ka=ენა: |kaa=Til: |kab=Tutlayt: |kg=Ndinga: |kiu=Zon: |kk-arab=:ٴتىل |kk-cyrl=Тіл: |kk-latn=Til: |km=ភាសា៖ |kn=ಭಾಷೆ: |ko=언어: |ksh=Sproch: |ku-latn=Ziman: |kv=Кыв: |kw=Yeth: |ky=Тил: |la=Lingua: |lb=Sprooch: |lfn=Lingua: |li=Taol: |lij=Lengoa: |loz=Zwa Siselect: |lt=Kalba: |lv=Valoda: |lzh=語： |mdf=Кяль: |mg=fiteny: |mhr=Йылме: |mk=Јазик: |ml=ഭാഷ: |mn=Хэл: |mr=भाषा: |ms=Bahasa: |mt=Lingwa: |mwl=Lhéngua: |my=ဘာသာ: |myv=Кель: |nah=Tlahtōlli: |nap=Lengua: |nds=Spraak: |nds-nl=Taal: |ne=भाषा: |new=भाषा: |nl=Taal: |nn=Språk: |no=Språk: |nso=Polelo: |oc=Lenga: |os=Æвзаг: |pa=ਭਾਸ਼ਾ: |pam=Amanu: |pdc=Schprooch: |pdt=Sproak: |pl=Język: |pms=Lenga: |pnb=بولی: |pnt=Γλώσσαν: |prg=Bilā: |ps=ژبه: |pt|pt-br=Língua: |qu=Rimay: |rm=Lingua: |ro=Limba: |roa-tara=Lénga: |ru=Язык: |sa=भाषा: |sah=Омугун тыла: |sc=Limba: |scn=Lingua: |sco=Leid: |sdc=Linga: |se=Giella: |sei=Itom: |sh=Jezik: |shi=tutlayt: |si=භාෂාව: |sk=Jazyk: |sl=Jezik: |sli=Sproache: |so=Luqada: |sq=Gjuha: |sr-ec=Језик: |sr-el=Jezik: |srn=Tongo: |ss=Lúlwîmi: |stq=Sproake: |su=Basa: |sv=Språk: |sw=Lugha: |szl=Godka: |ta=மொழி: |te=భాష: |tet=Lian: |tg-cyrl=Забон: |th=ภาษา: |ti=ቋንቋ: |tk=Dil: |tl=Wika: |to=Lea: |tr=Dil: |tt-cyrl=Тел: |tyv=Дыл: |ug-arab=:تىل |ug-latn=Til: |uk=Мова: |vec=Lengua: |vep=Kel’: |vi=Ngôn ngữ: |vo=Pük: |vro=Kiil: |wa=Lingaedje: |war=Yinaknan: |wo=Làkk: |wuu=语言: |xal=Келн: |xh=Ulwimi: |xmf=ნინა: |yi=שפראך: |yo=Èdè: |yue=語言: |zea=Taele: |zh-hans=语言: |zh-hant=語言: |zu=Ulimi: |#default=Language: }} </onlyinclude> == Documentation == The cases are all poached from [http://translatewiki.net/w/i.php?title=Special:Translations/loginlanguagelabel&namespace=8 here]. We can't just transclude that system message, because it includes a <tt>$1</tt>. b539976584085d7955aabab39425d799947ebfc4 10 32 100 2013-04-08T17:45:37Z BCP38 Moderator 1 Created page with "<table class="nmbox" style="border:1px solid #AAAAAA; border-collapse:collapse; clear:both; font-size:85%; margin: 0.5em 0;"> <tr style="background: #EEF3E2"> {{#if:{{{image|}..." <table class="nmbox" style="border:1px solid #AAAAAA; border-collapse:collapse; clear:both; font-size:85%; margin: 0.5em 0;"> <tr style="background: #EEF3E2"> {{#if:{{{image|}}}{{{header|}}} | <th class="mbox-image" style="white-space: nowrap; padding: 4px 1em; border-right: 1px solid #aaaaaa;">{{{image|}}} {{{header|}}}</th> | <td class="mbox-empty-cell"></td> <!-- No image. Cell with some width or padding necessary for text cell to have 100% width. --> }} <td class="mbox-text" style="background: #F6F9ED;">{{{text|}}}</td> </tr></table><noinclude> {{documentation}} </noinclude> 382bb6e4269546771451d5592c4dd58a72c71e14